Privacy Policy
This is HelsaMi`s privacy policy.
Privacy Policy
Updated 03/04/2024
1. About this privacy policy and accountability
This is the privacy policy for HelsaMi. Last updated 25/04/2023.
This privacy policy describes the processing of personal data when you use HelsaMi. The processing takes place in accordance with the national statutory requirements for processing of personal data.
The data controller is the entity / entities that have the primary responsibilities and obligations under the Personal Data Act and the special legislation that applies to the health service providers. Helseplattformen AS and the health service providers that use Helseplattformen are independent data controllers that cooperate in complying with the privacy obligations related to Helseplattformen. The responsibilities for compliance with the privacy obligations are divided between Helseplattformen AS and the health service providers in an administrative decision concerning Helseplattformen and data responsibility, adopted by the Ministry of Health and Care Services on the basis of the Patient Records Act § 9 (2) ("the administrative decision"), see also section 4 below.
If you have questions about this privacy statement, you can contact Helseplattformen AS' Data Protection Officer at personvernombud@helseplattformen.no.
For more information about the processing of personal information in Helseplattformen as a patient journal, go to Helseplattformen sikkerhet og personvern
2. Personal data
Personal data is information that can be related to an identified or identifiable individual. Processing of personal data is any use of personal data, such as the collection, recording, compilation, storage and disclosure, or a combination of such forms of use. As a main rule all processing of personal data is subject to the Personal Data Act, which is supervised by the Norwegian Data Protection Authority.
3. Purpose of processing
The purpose of the processing of personal data in HelsaMi is to facilitate digital and functional interaction between patients/users and establishments in the health care sector. This includes:
- Digital communication, including video consultation, messaging features, and appointment bookings
- Digital mailbox for receiving information from the health care sector
- Overview and access to information that has been recorded and made available to you and others
- Registration of tasks related to health care
- Performing troubleshooting, support, and correction of information in HelsaMi
In addition, the purpose of the services in HelsaMi is to provide a secure place where you can store your own notes about your health that no health personnel can access.
4. Legal basis for processing
The legal basis for the processing of your personal data in HelsaMi is GDPR Article 6 No. 1 c) and Article 9 No. 2 h) and i) with supplementary legal basis in the health legislation, including the Patient Records Act §§ 6, 8, 22 and 23 the Patient Record Regulations §§ 4- 8, the Health Personnel Act §26 and the administrative decision.
The administrative decision constitutes the legal basis for Helseplattformen AS's processing of personal data to facilitate the provision of health services concluded by the health service providers. This facilitation includes i, a. creation and management of your HelsaMi user.
Consent is not a legal basis for the processing of personal data in HelsaMi, but you must consent to the Terms of Use under "Terms and conditions" Helseplattformen - Terms and conditions to use the service. For the use of biometric characteristics to log in to HelsaMi, you can choose to let the application interact with the biometric function in your device for the purpose of verifying that you have the right to log in to HelsaMi. We do not store your biometric data if you choose to enable this feature on your device.
5. Categories of processed personal data
When using HelsaMi, Helseplattformen may process the following information in HelsaMi based on the administrative decision:
- Basic information about you, including your name, gender, age, national identification number, and contact information
- Setting options that control the use of the services at HelsaMi
- Photo on your profile. You can select an existing photo on you device or take a photo in HelsaMi
- Technical information about your device and internet connection
- Powers of attorney you have granted or received
- Login information
- Your vaccines
- Your test results
- Your referrals
- Your allergies
- Your letters from the health establishments
- Your health contacts
- Your personal notes
- Upcoming and previous appointments
- Temporary logging of technical information and your name during video consultations
- Other health information in your patient record that are made available to you
- Incomplete applications for municipal health care services
- Other documents or attachments you upload as part of your communication with the health care sector in HelsaMi
- Questionnaires
- Relatives
If you choose to include a photo or video in a message in HelsaMi, you can choose an existing photo or video on your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, it is saved in the camera app. Any photo or video stored in your camera app remains available in the camera app until you choose to delete it.
Through HelsaMi, you can choose to participate in video consultations with your doctor. HelsaMi will ask for your permission to access the device's video and audio functionality in order to carry out such consultations. We do not record or store video or audio data from such consultations.
If you choose to call a phone number displayed in HelsaMi, HelsaMi will ask for your permission to access your device's phone system to call the phone number. We do not store your call history or data about the call.
If you choose to activate automatic appointment arrival in HelsaMi, we temporarily store identifiers and times for your upcoming appointments in private storage areas in the application. This is necessary so that we can know when you arrive at an agreed time. If you choose to stop using HelsaMi, or you disable automatic appointment arrival, the identifiers are deleted.
In HelsaMi, you can also choose to let the application interact with Bluetooth on your device for the purpose of letting the reception staff know when you arrive at an agreed time. We do not store your Bluetooth data if you choose to activate this function.
6. Storage time and deletion of user account
You may in some cases correct and delete the information you have uploaded to HelsaMi. If such correction and deletion is not possible in HelsaMi, you can contact us for correction and deletion as mentioned in section 8. Backups are stored at Helseplattformen for up to 14 days. The backups are only used to restore the service in case deletion by error.
When deactivating a user profile, the personal data related to your user profile will be unavailable.
Profile photos you have uploaded to HelsaMi that already exists on your device, are stored as a copy in your app-private storage on your device. This is an area on your device where files related to your use of programs/applications are stored. Files in the app-private storage assigned to your use of HelsaMi can not be accessed by other programs/applications. If a new photo was taken with the camera app on your device, the photo you took is first saved on your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete HelsaMi, the copy of the photo is deleted from the app-private storage. The photo saved to your camera app remains available in your camera app.
Documents you choose to view in HelsaMi, will be stored as a copy in app-private storage. The temporary copies are deleted when you close your session on HelsaMi.
Information obligated for recording in patient records, will be recorded, and stored in accordance with Norwegian health legislation. Your personal data stored in patient records will be stored until it is presumed that it is no longer of use for healthcare, pursuant to section 25 of the Patient Records Act. The information is then preserved in accordance with the Archives Act or other legislation.
When the death of a user is recorded in the medical records system, the deceased's consent to the services will be deemed as withdrawn and the account will no longer be accessible. Any other person authorized to use will also lose access to the account.
7. Access to personal data in HelsaMi
Only you have access to the personal notes that you have chosen to register at HelsaMi. You can grant access to next of kin or other private individuals by giving them authorization as described in the Terms and conditions
Authorized technical personnel, who do regular operational work on the technical solution, will generally not have access to your personal data. In certain situations, in connection with error correction or operational disruptions, dedicated operational personnel may have access to your personal data. Such access will only take place within very strict security routines and the operating personnel are required to keep a separate log of when and why such access has taken place. Data processor agreements have been entered into with all relevant subcontractors and all personnel must sign a declaration of confidentiality to be authorized.
HelsaMi is structured according to current industry standards for information security in the healthcare sector (the "Norm"), which, among other things, sets strict requirements for access control and secure login. Routines and measures have been established at various levels to ensure that unauthorized persons do not gain access to your personal data, and that all processing of the data otherwise takes place in accordance with applicable law. All information about you will be stored on secured storage devices.
8. Your rights
The privacy regulations and health legislation give you several rights that you can exercise in various ways, including:
- To request that the personal data registered about you is corrected or deleted
- To request access to the personal data registered about you
- To request that access to your patient record is restricted to specific health care professionals or personnel
- To launch a compaint to the Norwegian Data Protection Authority
If you have an account on HelsaMi, you can exercise these rights by using the chat function there. You also have functionality in HelsaMi that allows you to correct or delete certain information yourself. You can also contact Helseplattformen AS during our opening hours on telephone number 72 88 37 97 or contact the health service provider that provides services to you.
9. Exchange of information and use of subcontractors
HelsaMi may interact with your sensitive data to provide certain features, such as video visits or mobile appointment check-in. The first time you try to use any of these features, we will ask for your consent within the app and will only allow you to use a feature if you give consent. You do not have to provide consent if you do not want to allow HelsaMi to interact with your data as requested. HelsaMi is developed by Epic Systems Corporation; please refer to Epic’s Mobile Application Privacy Policy for Patients for more detailed information about the limited ways they may interact with your information to make your use of HelsaMi possible.
HelsaMi may offer location-based check-in for in-person appointments or allow you to find healthcare providers near you. The first time you try to use any features that use your location, we will ask for your consent within the app and will only access your location if you give consent. You do not have to provide consent if you do not want to allow HelsaMi to use your location. We do not store your location data.
Helseplattformen exchanges information with Helsenorge.no. This is done to integrate the two portals for certain functionalities. Currently, this integration applies to an overview of appointments and letter exchanges.
As part of the functionality in HelsaMi, you will be able to communicate with public entities. Personal information in HelsaMi may be shared with these entities to the extent necessary to provide health care to you, or if such disclosure is required by law. Helseplattformen also collects basic information about you from national and public registers that are made available to you in HelsaMi.
HelsaMi uses ID-porten as a secure log in and identity provider.
HelsaMi is a service provided by Epic Systems Inc. Epic will only process personal data in HelsaMi if it is necessary to provide technical support and error correction.
As part of Helseplattformen as a service, there is limited integration between HelsaMi and other programs in Helseplattformen. In connection with this, basic information about you may be transferred to these programs, including e.g. video service provided by Norsk Helsenett through Pexip, which is used to conduct video consultations that can be initiated through an invitation in HelsaMi, by text message, or e-mail. The personal data is stored in the video service in short intervals and is only used in connection with support and error correction.
HelsaMi may receive information from third-party applications, including health applications and sports applications on mobile. The relationship between you as a user and supplier of third-party applications will be regulated solely based on your consent to the terms of use and based on the privacy statement of these suppliers. No information is provided by HelsaMi for such third-party applications. Providers of such applications are not affiliated with Helseplattformen or HelsaMi, and neither Helseplattformen nor HelsaMi is responsible for the processing of personal data that takes place using such third-party applications.
10. HealthKit and Google Fit
If you choose to use HealthKit and Google Fit, HelsaMi can receive health information from these applications on mobile so that it can be shared with healthcare professionals. No information is provided by HelsaMi to HealthKit and Google Fit, or other software activated by HealthKit or Google Fit.
Providers of such applications are not affiliated with Helseplattformen or HelsaMi, and neither Helseplattformen nor HelsaMi are responsible for the processing of personal data that takes place in such third-party applications separately. The relationship between you as a user and supplier of third-party applications will be regulated solely based on your consent to the terms of use and privacy statements of these suppliers.
11. Transfer of personal data out of the EEA
All your personal information is stored and processed within the EEA. In extremely rare cases, support staff from Epic may, through remote access, gain temporary access to personal data from countries outside the EEA to provide technical support and error correction. Such remote access is regulated by a transfer agreement (EU Standard Contractual Clauses), and sufficient guarantees have been established in line with the requirements of the GDPR. This ensures that the information is given the same protection as if it were handled by personnel in Norway.
12. Research projects
In HelsaMi, you as a user can choose whether you want to be contacted or not about participating in research projects. Helseplattformens computer system searches patients' medical records to see if residents meet established criteria for participating in research studies. If the resident has chosen to set his or her preference to "do not contact", he or she will not be contacted to participate in research projects. If the resident does not choose a preference, he or she may be contacted. Your preference in HelsaMi is not a consent to participate in research projects.
For more information on the use of citizens' personal data for research, see Helseplattformen Generell personvernerklæring
13. Cookies
HelsaMi uses only necessary cookies that provide basic functionality in the services, such as page navigation and user authentication. The services cannot function optimally without these cookies. For an overview of our necessary cookies, see Sikkerhet og personvern Helseplattformen
14. For Android Users – Required Google Play Disclosures for Certain Health Apps
HelsaMi is subject to Google’s COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available in the Play store.
- HelsaMi has access to, collects, uses and shares information as described in section 5 and otherwise in this privacy policy. Relevant parts of this information may be processed for purposes associated with COVID-19. Technical information and other irrelevant information, including information about using a microphone for navigation in the app or using a camera roll to add a profile picture to HelsaMi, will not be processed in relation to COVID-19 information.
- HelsaMi has not been developed specifically for use related to COVID-19. In HelsaMi you will have access to COVID-19 vaccination information, test results, and documents with information related to diseases. You can use this information of your choice in the same way as other available information in HelsaMi.
- Through HelsaMi you can participate in video consultations with health professionals in relevant healthcare organizations. Helseplattformen AS facilitates the implementation of such consultations. No personal information about COVID-19 will be stored in the technical solution for video consultation, but the health professionals will be able to document relevant information in your patient record.
- HelsaMi is not an infection tracing app. In HelsaMi there is no tracing of COVID-19 cases.
15. Changes
We will be able to make minor changes to this privacy policy. You will always find the latest version on helseplattformen.no. In the event of significant changes, we will notify you of this.