NTA 7516 is a data protection standard introduced in May 2019 as a way of protecting all forms of healthcare data in the Netherlands. The legislation impacts any organization which handles personal healthcare data, including healthcare providers, insurers, municipalities, occupational health services - the list goes on.

NTA 7516 clarifies what is necessary with regard to the mailing of personal health information to ensure that a number of GDPR requirements are met. The standard ensures that sensitive data is handled securely by prescribing that organizations must work with a communication service provider who is NTA 7516 compliant. 

Is the NTA 7516 relevant to you?

If you handle personal health information by email, you must use an NTA 7516 compliant email product to ensure data is secured. So, not only healthcare organizations (such as general practitioners, hospitals, surgeries etc) but educational establishments, municipalities, and financial services providers are impacted by NTA 7516, too.

Related data protection laws

• GDPR – Guidance around the safe use of email platforms according to the General Data Protection Regulation (GDPR) is clarified by the NTA 7516 as the legislation establishes specific functionality requirements for the secure handling of data
• WGBO – The NTA 7516 requires professionals who handle healthcare information to  authenticate recipient identities
• WvGGZ – In the The Compulsory Mental Health Care Act (WvGGZ) fact sheet, the VNG explains the impact of the WvGGZ on municipalities; NTA 7516 is explicitly mentioned a number of times as a requirement as a basis for secure exchange of information in the WvGGZ chain

What does NTA 7516 require?

As with all data protection standards, there are three primary elements of the NTA 7516: integrity, availability, and confidentiality.

• Availability: The NTA 7516 requires that an organization’s communications software must be available 99.8% of the time and, in the event of a service outage, the outage must last no longer than 24 hours. If data is lost, the organization must be informed within 24 hours.
• Integrity: Multi factor authentication (2FA/MFA) must be utilized to ensure only the intended recipient accesses data. This also means that the content of a communication must not be amended once it has been sent to the recipient. If the content of the message changes, the sender and receiver must both be informed. In addition, the sender must be stated in every communication (for example, if the message was sent by an authorized representative or secretary). 
• Confidentiality: The communication must only be accessible to the sender and recipient. Access to the messages may only be granted via multi-factor authentication.

In addition to these three pillars, NTA 7516 also places great emphasis on the ease of use of communications software. NTA 7516 compliant platforms must provide a user-friendly experience for both the sender and recipient of sensitive healthcare data. 

It must be clear to the recipient that the software used to share data is NTA 7516 compliant; recipients must also be able to securely engage with communications (i.e. save the information in their preferred location, reply to or forward the information on) without having to create an account with the platform. 

Interoperability and NTA 7516 

Compliant NTA 7516 providers must be interoperable. This means that the receiving party is unaffected if the sending party has made a different choice. For example, just like you don't know whether a caller’s provider is KPN, T-mobile, or Vodafone, an organization’s preferred communications provider will function seamlessly with an alternative provider.

Do you meet the NTA 7516 standard?

Zivver was a driving force behind NTA 7516 and is a compliant provider; Zivver users can operate with confidence knowing their digital communications are protected, and compliance with evolving data protection laws is assured. 

To learn more about compliance and the NTA 7516, as well as how we can support your organization in meeting legislative requirements, download our NTA 7516 checklist.

By Rick Goud, CIO & Founder, Zivver