NTA 7516 – the essential guide for healthcare providers, government and insurers

The NTA 7516 is the standard for secure ad hoc communication of health information. The standard was created by the NEN, on behalf of the Ministry of Health, Welfare and Sport, the Healthcare Information Council and municipalities. 

Ad hoc communication includes email, chat, portals, messengers, and so on. In other words, all forms of communication that take place between people. 

The standard describes over 25 requirements concerning availability, integrity, confidentiality, user-friendliness, interoperability, policy and logging, which organizations and the solutions they use must meet in order to be compliant.

The NEN recently made the decision to withdraw the current NTA 7516 certification for all suppliers - here’s why this change has been made and what it means for your organization. 

In many cases, it has become apparent that certificates have been issued to suppliers on the basis of incorrect and incomplete testing, partly due to a lack of clarity in the criteria. Therefore, the certificate did not ensure that an organization was indeed compliant with the standard. As such, supplier certification has been withdrawn.

The intended purpose of withdrawing the certifications is to remove ambiguity, effectively requiring organizations to investigate whether and to what extent a supplier can support compliance with the NTA 7516.

The situation regarding incorrect certifications was brought to the attention of the NEN by Zivver. The Ministry of Health, Welfare and Sport, the NEN and certifiers have tried to reach an agreement with suppliers regarding testing. Unfortunately, this was not possible and the NEN made the decision to withdraw the NTA 7516 certification in its entirety.

It is important to note that the NTA 7516 remains in full force and effect. All organizations that mail personal healthcare related information (i.e. healthcare institutions, municipalities, insurance companies etc) must continue to comply with the NTA 7516.

The withdrawal of the certification for suppliers places greater responsibility on organizations to conduct their own investigations into whether suppliers can support compliance with the standard.

For Zivver customers, the change has no impact. Zivver provides all the technical functionality required to comply with the NTA 7516.

For organizations using alternative suppliers for secure emailing, it is important to confirm to what extent the platform supports compliance with NTA 7516. Due to incorrectly granted certifications, many organizations have been under the false impression that their supplier supports compliance.

It is expected that the NEN will work towards a new certification scheme in the future, providing a more transparent and reliable framework for organizations. There is currently no estimated schedule for the delivery of this scheme.

False certifications awarded to suppliers lead many many organizations to continue communicating healthcare related information under the false belief that they were compliant with the NTA 7516. At Zivver, we welcome the withdrawal of supplier certifications as a much needed improvement in ensuring compliance.

We’re on hand to answer any questions you might have about your organization’s compliance responsibilities. Get in touch at customersuccess@zivver.com (Zivver customers only) or sales@zivver.com.

1. To provide clear conditions around the use of email, chat, and messaging (e.g. a portal) solutions. This ensures the secure and reliable exchange of personal health information. 
2. Ensuring that messages can be exchanged between compliant solutions available to organizations, regardless of supplier. This is known as interoperability or multichannel communication.

The NTA 7516 applies to all organizations which use ad hoc communication processes and platforms to share health information; for example, emailing appointment confirmations or examination results to patients, chatting with colleagues, or sharing medical data via email for insurance purposes. 

This means that the NTA 7516 applies not only to hospitals, mental health institutions, elderly care organizations, general practitioners and other organizations or professionals directly involved in the delivery of healthcare services, but to any organization which handles sensitive healthcare related data, such as the Public Prosecution Service (OM), legal firms, or insurers.

Compliance with the NTA 7516 requires the organization to use NTA 7516 compliant solutions. This means that suppliers of communications solutions which wish to be compliant must meet NTA 7516 requirements.

While the NTA 7516 is currently a Dutch standard, the NEN has shared their intention to make it a European CEN standard. The Netherlands is the first country to have drawn up such a standard for secure ad hoc communication. These types of standards are often adopted centrally or decentrally by other CEN member countries, including all 28 European member states.

Compliant NTA 7516 providers must be interoperable. This means that neither the sending or receiving party is affected if each party is using a different solution for their digital communications.

For example, just like you don't know whether a caller’s provider is KPN, EE, or Vodafone, an organization’s preferred communications provider will function seamlessly with an alternative provider.

User-friendliness plays a central role in the NTA 7516 and carries the most requirements. Security and user-friendliness go hand in hand; if a security solution isn’t user-friendly, people won't use it and will instead choose an alternative method of communication, putting data at risk.

The standard outlines requirements for things such as securely replying to messages, secure message forwarding, security as standard (security by default), not having to create an account or install separate software, and the ability to download messages for your own use/archive. In short, secure communication should be easy to manage.

Does your organization communicate personal health information via email, chat, messaging or a portal to other organizations or patients/clients/insured persons/customers/citizens? If the answer is yes, then your organization must comply with the NTA 7516!

Yes - your solution must be NTA 7516 compliant. The solutions used by stakeholders with whom you share sensitive healthcare data must also be NTA 7516 certified. 

Interoperability, also referred to as multi-channel communication, is a requirement in the NTA 7516. It requires manufacturers ensure that their product can 'talk' to other products - this means that the provider of the solution is inconsequential; two organizations may use different systems and both parties can receive secure messages in its own NTA 7516-compliant application of choice.

Interoperability requires that products can speak 'the same language'. The Ministry of Health, Welfare and Sport, in collaboration with the suppliers involved, has drawn up a ‘Technical Handbook’ in which this coupling language is described. Suppliers must adapt their products to the requirements in this technical guide, or they cannot be NTA 7516 certified.

Our NTA 7516 checklist describes the steps you need to take towards NTA 7516 compliance.

To comply with the NTA 7516, you must meet all requirements in the standard regarding availability, integrity, confidentiality, user-friendliness, interoperability, policy and logging. At the moment, VWS and umbrella organizations are working on checklists and guidelines to help organizations with this. 

The standard NTA 7516 still remains in force, meaning any organizations communicating healthcare related information by email or chat must comply. The recent change to the standard places greater importance on the organization to ensure their suppliers can support compliance.

 The NTA 7516 applies to any organization that exchanges personal health information through 'ad-hoc' channels, such as email and portals. This could be healthcare providers, insurers, municipalities, occupational health services etc.

In addition, since February 2022, the standard has also been used by the judiciary as a condition for safe emailing.

No, as an organization you cannot yet be certified on the NTA 7516, but you can indicate this by means of a self-declaration. Naturally, it is a condition that the organization meets all requirements set by the NTA 7516.

If you are not yet NTA 7516 compliant, it is very important that you work to ensure compliance immediately. The obligation to do so remains in full force and effect and the benefits of interoperability (as outlined in the standard) are considerable.

The NTA 7516 is seen by the Dutch Data Protection Authority and the Healthcare and Youth Inspectorate (IGJ) as an important testing framework for the use of email and chat applications for ad hoc communication of personal healthcare related information. In practice, if your organization does not comply with the NTA 7516, you cannot send personal healthcare related information via email and chat.

The recent withdrawal of supplier certifications serves to support organizations in ensuring they are fully compliant with the NTA 7516; it largely removes ambiguity that has arisen as a result of falsely awarded supplier certifications.

The NTA 7516 remains in effect and organizations must work to understand the functionality a supplier provides to ensure secure mailing. Zivver can help your organization with this.

The NEN and certifiers note that certificates have been issued to suppliers on the basis of incorrect and incomplete testing. As a result, these certificates are not guaranteed to provide the intended certainty and clarity of compliance with the NTA 7516.

Zivver brought this situation to the attention of the NEN approximately two years ago. The Ministry of Health, Welfare and Sport, the NEN and certifiers have since tried to reach agreements on better testing with suppliers. Unfortunately, this was unfeasible. 

By revoking supplier certificates, organizations are obliged to re-examine whether their ad hoc communication suppliers do indeed support compliance with the NTA 7516. In the future, the NEN will work towards a new scheme with more clarity in order to create a level playing field between all parties.

Yes, the withdrawal of the NTA 7516 certification applies to all suppliers.

No, for Zivver customers, the recent change has no impact. You can still securely email interoperably with other NTA 7516-compliant partners, and operate with confidence that your ad-hoc communication channels meet the highest level of security.

This depends on the supplier. We advise you to do your own research to assess whether the chosen supplier complies with all points of the NTA 7516. Our NTA 7516 checklist can help you with this.

Yes, if an organization complies with NTA 7516, interoperability may still be used.

 The NTA 7516 consists of 24 technical requirements and five policy requirements. To check whether your organization is compliant, download our NTA 7516 checklist.

To achieve compliance, organizations must meet all technical and policy requirements of the NTA 7516. In total, the NTA 7516 consists of 24 technical requirements and five policy requirements. To check whether your organization is compliant, download our NTA 7516 checklist.

When seeking a solution for secure emailing, it is important to understand which points of the NTA 7516 a supplier can implement and how the solution achieves this. To check whether your organization is compliant, download our NTA 7516 checklist or get in touch to learn how Zivver can support your organization in meeting compliance at sales@zivver.com.

Yes, anyone can contact the NEN to request further information. The NEN website provides clarity around the standard, as well as contact details. 

A timeframe for the development of a new certification is currently unavailable.