Consultation of the National Registry and the KSZ/BCSS registries General overview 1

National Registry: what? Database with identification-data About individuals registered in citizen-registry or a foreigners-registry of the municipalities Registries of doplomatic missions and consulatesers van de diplomatieke zendingen en de consulaire posten Waiting registry of candidate political refugees Managed by public service of internal affairs Contains (amongst others) National Registry number name First names gender Birthplace Birthdate Date of decease Main address

Crossroadbank registries: what? Database with identification-data About individuals that are not registered in national registry Or data is not updated in the national registry But identification data is needed for Social security Other legal obligations… Managed by crossroads bank of social security Contains (amongst others) National Registry number name First names gender Birthplace Birthdate Date of decease Main address

Relationship between both The crossroads bank registries are a supplement to the national registry and is only used if the national registry is unable to provide the needed information The databases are synchronized on a regular basis Transparant to the user / integrator of the service

Id-number of social security (NISS/INSZ) = number of the national registry if existing = number of crossroadsbank of social security if there is no national registry number

Access (1/2) Limited to certain categories of people/institutions e.g. public and private insitutions for the information they need for performing their tasks of common interest (→ hospitals) Requires authorization of a sectoral comity of the Privacy Commission Access to the national registry Sectoral comity of the national registry For hospitals: deliberation nr. 21/2009 of March 25, 2009 (see https://www.ehealth.fgov.be/binaries/website/nl/pdf/beraadslaging_RR_021_2009-1-.pdf) Access to the crossroads bank registries sectoral comity of social security and health For hospitals: deliberation nr. 09/39 of July 7th 2009 (see https://www.ehealth.fgov.be/binaries/website/nl/pdf/09-039-n063-1--NL.pdf)

Access (2/2) General authorization for hospitals Access to limited identification data (id-number, name, first names, gender, birth place, birth date, decease date and main address) Use of the id-number Conditions (see next slides) Only for well-defined purposes Limited storage of personal data Limited access to the personal data via a secured platform Obligations (see next slides) Communiocation of documents to the sectoral comity and the eHealth-platform Appointing an information security consultant Elaboration of an information safety policy more information: see portal-site of the eHealth-platform https://www.ehealth.fgov.be/nl/page_menu/website/home/platform/sources/nationalregister.html

Conditions (1/2) Only for specific purposes Storage verify/update identification-data of patients Unique identification of patients in the medical record Billing Storage For the managment of the medical record Up to 30 years after the last contact with the patient Hospital services reponsible for billing/invoicing Not longer than the invoicing procedure And not longer thean the legal limitation period (= 2 years starting at the end of the month during which the medical acts were delivered)

Conditions (2/2) Limitation of access to specific individuals Minimum number of employees Signing declaration of confidentiality Creation and maintenace of a list of employees that do have access for functional reasons via a secured platform the eHealth-platform Or any other platform that can provide similar guaranties regarding information safety and submitted to the control of the sectoral comity of social security and health.

Obligations Documents to the sectoral comity of social security and health See: https://www.ehealth.fgov.be/binaries/website/nl/doc/Brief-template-NL-Final.doc Request to the eHealth-platform Request for use of webservices (see next slides) Obtaining a eHealth-certificate (identification/authentication) tests https://www.ehealth.fgov.be/binaries/website/nl/pdf/Verzoek-om-toestemming-voor-gebruik.pdf

Information about information safety consultant identity and contact information Training and qualifications Job description place in the organisation Available time for the job If applicable, other (compatible) jobs

Information Safety Policy (1/2) Using the services of an information safety consultant evaluate risks and security needs for working with personal data Maintain written version of the information safety policy Identify the different media and carriers on which personal data is stored, communicated and processed. information to employees about their confidentiality- and security duties Precautions against unauthorized and useless access to personal data Precautions against damage that might put the personal data in danger.

Information Safety Policy (2/2) Precautions for protection of the different networks Up-to-date list of individuals having access to personal data and their access level Implementation of access authorization system Logging of people having access to the personal data Follow-up of the organisational and technical measures Availability of emergency-procedures in case of safety-incidents Availability of up-to-date documentation regarding the security-precautions

Webservices IdentifyPerson PhoneticSearch ManageInscription MutationSender PersonHistory

Other needs? National registry and crossroads bank registries contain also additional data: nationality Place of decease profession Marital status / legally living togethe Family composition administrative situation of candidate - political refugee Etc… Not accessible today Justifiable needs can be investigated

Information safety precautions eHealth-platform will organize discussion with hospitals « consultation-structure » will assist hospitals when creating and implementing information security policies

Consultation of national register and BIS register Technical part and procedures 17

Web services IdentifyPerson phoneticSearch manageInscription mutationSender personHistory

Architecture

Autorisation

WebService IdentifyPerson (request)

WebService IdentifyPerson (request) For example: <?xml version="1.0" encoding="UTF-8"?> <ns1:SearchBySSINRequest xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol IdentifyPerson-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <Organisation> <Id>71099911</Id> <Type>NIHII</Type> <SubType>HOSPITAL</SubType> </Organisation> <ApplicationID>xxxxxxxxxxx</ApplicationID> <Inscription> <SSIN>xxxxxxxxxxx</SSIN> <QualityCode>1</QualityCode> <Period> <BeginDate>2009-04-20</BeginDate> <EndDate>2009-06-20</EndDate> </Period> </Inscription> </ns1:SearchBySSINRequest>

WebService IdentifyPerson (reply)

WebService IdentifyPerson (reply)

WebService IdentifyPerson (reply) <?xml version="1.0" encoding="UTF-8"?> <ns1:SearchBySSINReply Id="1234567890123" xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol IdentifyPerson-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:eH="urn:be:fgov:ehealth:commons:1_0:core" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <eH:Status> <Code>100</Code> <Message>Success</Message> </eH:Status> <Person> <SSIN>00010100000</SSIN> <PersonData> <Birth> <Date>2000-01-01</Date> <Localisation> <Description Lang="FR">JEMEPPE-SUR-SAMBRE</Description> <Municipality> <InsCode>92140</InsCode> </Municipality> <Country> <InsCode>150</InsCode> </Country> </Localisation> </Birth>

WebService IdentifyPerson (reply) <Name> <First>PERSONNE</First> <Last>TEST</Last> </Name> <Gender>UNKNOWN</Gender> <Address> <StandardAddress> <Street> <Description Lang="NL">TESTSTRAAT </description> </Street> <Housenumber>25</Housenumber> <Municipality> <InsCode>11002</InsCode> <PostalCode>2000</PostalCode> <Description>ANTWERPEN</Description> </Municipality> <Country> <InsCode>150</InsCode> <Description Lang="NL">BELGIË</Description> </Country> </StandardAddress> </Address> </PersonData> </Person> </ns1:SearchBySSINReply>

WebService PhoneticSearch (request)

WebService PhoneticSearch (request) <?xml version="1.0" encoding="UTF-8"?> <ns1:SearchPhoneticRequest xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol PhoneticSearch-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <Organisation> <Id>71099911</Id> <Type>NIHII</Type> <SubType>HOSPITAL</SubType> </Organisation> <ApplicationID>xxxxxxxxxxx</ApplicationID> <PhoneticCriteria> <LastName>TEST</LastName> <MiddleName>ALBERT</MiddleName> <BirthDate>1999-00-00</BirthDate> <Gender>MALE</Gender> <Tolerance>2</Tolerance> </PhoneticCriteria> </ns1:SearchPhoneticRequest>

WebService PhoneticSearch (reply)

WebService PhoneticSearch (reply) <?xml version="1.0" encoding="UTF-8"?> <ns1:SearchPhoneticReply Id="1234567890123" xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol PhoneticSearch-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:eH="urn:be:fgov:ehealth:commons:1_0:core" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <eH:Status> <Code>100</Code> <Message>Success</Message> </eH:Status> <Person> <SSIN>xxxxxxxxxxx</SSIN> <PersonData> <Birth> <Date>2000-01-01</Date> <Localisation> <Description Lang="FR">JEMEPPE SUR SAMBRE</Description> <Municipality> <InsCode>92140</InsCode> </Municipality> <Country> <InsCode>150</InsCode> </Country> </Localisation> </Birth> <Name> <First>Personne</First> <Last>Test</Last> </Name> <Gender>UNKNOWN</Gender>

WebService PhoneticSearch (reply) <Address> <StandardAddress> <Street> <Description Lang="NL">TESTSTRAAT</Description> </Street> <Housenumber>25</Housenumber> <Municipality> <InsCode>11002</InsCode> <PostalCode>2000</PostalCode> <Description>ANTWERPEN</Description> </Municipality> <Country> <InsCode>150</InsCode> <Description Lang="NL">BELGIË</Description> </Country> </StandardAddress> </Address> </PersonData> </Person> <Person> <SSIN>yyyyyyyyyyy</SSIN> <PersonData> <Birth> <Date>2000-01-01</Date> <Localisation> <Description>AMSTERDAM</Description> <InsCode>129</InsCode> </Localisation> </Birth>

WebService PhoneticSearch (reply) <Name> <First>Prsonne</First> <Last>Test</Last> </Name> <Gender>UNKNOWN</Gender> <Address> <StandardAddress> <Street> <Description Lang="NL">TESTSTRAAT</Description> </Street> <Housenumber>25</Housenumber> <Municipality> <InsCode>11002</InsCode> <PostalCode>2000</PostalCode> <Description>ANTWERPEN</Description> </Municipality> <Country> <InsCode>150</InsCode> <Description Lang="NL">BELGIË</Description> </Country> </StandardAddress> </Address> </PersonData> </Person> </ns1:SearchPhoneticReply>

WebService ManageInscription the webservice 'ManageInscription' allows a hospital to subscribe or unsubscribe for a patient to the Mutation of the national register’s subscription If there is a mutation for this person, it will be send where the hospital wants to prolong this period, he adds the new period desired if it wants to reduce this period, the hospital removes the excess period

WebService ManageInscription (request)

WebService ManageInscription (request) <?xml version="1.0" encoding="UTF-8"?> <ns1:InsertInscriptionRequest xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol manageInscription-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <Organisation> <Id>71099911</Id> <Type>NIHII</Type> <SubType>HOSPITAL</SubType> </Organisation> <ApplicationID>xxxxxxxxxxx</ApplicationID> <Inscription> <SSIN> xxxxxxxxxxx </SSIN> <QualityCode>1</QualityCode> <Period> <BeginDate>2009-04-20</BeginDate> <EndDate>2009-06-20</EndDate> </Period> </Inscription> </ns1:InsertInscriptionRequest>

WebService ManageInscription (reply)

WebService ManageInscription (reply) <?xml version="1.0" encoding="UTF-8"?> <ns1:InsertInscriptionReply Id="1234567890123" xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol manageInscription-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns3="urn:be:fgov:ehealth:commons:1_0:core" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <ns3:Status> <Code>80</Code> <Message>business error : unknown quality</Message> </ns3:Status> </ns1:InsertInscriptionReply>

WebService MutationSender Every day The file is available during 45 days. eHealth always search the last file.

WebService MutationSender (reply)

WebService MutationSender (reply) <?xml version="1.0" encoding="UTF-8"?> <ns0:MutationReply xmlns:ns0="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <Header> <ApplicationID>xxxxxxxxxxx</ApplicationID> <Date>2009-01-01</Date> <SequenceNumber>1</SequenceNumber> <Environement>A</Environement> </Header> <ns0:MutationList> <ns0:Mutation> <MutationInformation> <Author>RR_RN</Author> <Type>12131200</Type> <Description Lang="EN">Ssin is modified</Description> </MutationInformation> <Person> <SSIN>00010100000</SSIN> <PersonData> <Birth> <Date>2000-01-01</Date> <Localisation> <Description Lang="FR">JEMEPPE-SUR-SAMBRE</Description> <Municipality> <InsCode>92140</InsCode> </Municipality> <Country> <InsCode>150</InsCode> </Country> </Localisation> </Birth>

WebService MutationSender (reply) <Name> <First>PERSONNE</First> <Last>TEST</Last> </Name> <Gender>UNKNOWN</Gender> <Address> <StandardAddress> <Street> <Description Lang="NL">TESTSTRAAT</description> </Street> <Housenumber>25</Housenumber> <Municipality> <InsCode>11002</InsCode> <PostalCode>2000</PostalCode> <Description>ANTWERPEN</Description> </Municipality> <Country> <InsCode>150</InsCode> <Description Lang="NL">BELGIË</Description> </Country> </StandardAddress> </Address> </PersonData> </Person> </ ns0:Mutation> </ns0:MutationList> </ns0:MutationReply>

WebService PersonHistory 8 methods : getAddresssHistory,… You can just see the data : Up to 30 years (in case of management of the medical record) Up to 2 years (in case of bill management)

getAddressHistory (request)

getAddressHistory (request) <?xml version="1.0" encoding="UTF-8"?> <ns1:PersonHistoryRequest xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol PersonHistory-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <Organisation> <Id>71014391</Id> <Type>NIHII</Type> <SubType>HOSPITAL</SubType> </Organisation> <ApplicationID>xxxxxxxxxxx</ApplicationID> <SSIN>xxxxxxxxxxx</SSIN> </ns1: PersonHistoryRequest>

getAddressHistory (reply)

getAddressHistory (reply) <?xml version="1.0" encoding="UTF-8"?> <ns1:PersonHistoryAddressReply Id="1234567890123" xsi:schemaLocation="urn:be:fgov:ehealth:consultRN:1_0:protocol PersonHistory-1-0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:eH="urn:be:fgov:ehealth:commons:1_0:core" xmlns:ns1="urn:be:fgov:ehealth:consultRN:1_0:protocol"> <eH:Status> <Code>100</Code> <Message>Success</Message> </eH:Status> <SSIN>xxxxxxxxxxx</SSIN> <AddressHistory> <Source>RR-RN</Source> <ModificationDate>2009-01-01</ModificationDate> <EffectuationDate>2009-01-01</EffectuationDate> <Address>

getAddressHistory (reply) <StandardAddress> <Street> <Description Lang="NL">TESTSTRAAT</Description> </Street> <Housenumber>25</Housenumber> <Municipality> <InsCode>11002</InsCode> <PostalCode>2000</PostalCode> <Description>ANTWERPEN</Description> </Municipality> <Country> <InsCode>150</InsCode> <Description Lang="NL">BELGIË</Description> </Country> </StandardAddress> </Address> </AddressHistory> </ns1:PersonHistoryAddressReply>

Security SSL one way eHealth-certificate TTL : 1 minute Body + token + timestamp are signed No encryption of the message

In pratice You should do the following steps : eHealth provides a commitment signed at Sectoral Committee on Social Security and Health ask permission to use webservices eHealth More info eHealth web site eHealth provides Test environment (dummy data – no autorisation is needed) Acceptation environment Production environment Test (in test and acceptation) duration minimum 1 month A test rapport

Contact contact Service PPKB  Request@ehealth.fgov.be contact Technique RN Consult  ehealthrnconsult@smals.be

eHealth-Certificates: specifications x509v3 certificate Issued by GovernmentCA (fedict) Current Subject specifications CN = Logical name of the certificate O = Official name of the organization OU = Type of identification no. e.g. CBE / NIHII / … SerialNumber = Identification no. of the organization

eHealth-Certificates: procedure ( 1 / 2 ) The Certificate responsible of the organization creates a Certificate Signing Request (CSR) The legal representative of the organization fills in the proxy form The representative sends the proxy form to Smals Regular mail Smals - Rue du Prince Royal 102 -1050 Bruxelles Email subject: eHealth – identification certificate proxy accesscoordination@smals.be Fax: 02/511.12.42 (Barbara Meyers / Sara Vander Meeren)

eHealth-Certificates: procedure ( 2 / 2 ) The Certificate responsible sends an email with the generated CSR as attachment. subject: eHealth – identification certificate CSR accesscoordination@smals.be As reply on his email, he obtains the public key of the certificate.

Merci de votre @ttention! Questions?