The data controller is the entity / entities that have the primary responsibilities and obligations under the Personal Data Act and the special legislation that applies to the health service providers. Helseplattformen AS and the health service providers that use Helseplattformen are independent data controllers that cooperate in complying with the privacy obligations related to Helseplattformen. The responsibilities for compliance with the privacy obligations are divided between Helseplattformen AS and the health service providers in an administrative decision concerning Helseplattformen and data responsibility, adopted by the Ministry of Health and Care Services on the basis of the Patient Records Act § 9 (2) ("the administrative decision"), see also section 4 below.
2 Personal data
Personal data is information that can be related to an identified or identifiable individual. Processing of personal data is any use of personal data, such as the collection, recording, compilation, storage and disclosure, or a combination of such forms of use. As a main rule all processing of personal data is subject to the Personal Data Act, which is supervised by the Norwegian Data Protection Authority.
3 Purpose of processing
The purpose of the processing of personal data in HelsaMi is to facilitate digital and functional interaction between patients/users and establishments in the health care sector. This includes:
• Digital communication, including video consultation, messaging features, and appointment bookings
• Digital mailbox for receiving information from the health care sector
• Overview and access to information that has been recorded and made available to you and others
• Registration of tasks related to health care
• Performing troubleshooting, support, and correction of information in HelsaMi
In addition, the purpose of the services in HelsaMi is to provide a secure place where you can store your own notes about your health that no health personnel can access.
4 Legal basis for processing
The legal basis for the processing of your personal data in HelsaMi is GDPR Article 6 No. 1 c) and Article 9 No. 2 h) and i) with supplementary legal basis in the health legislation, including the Patient Records Act §§ 6 and 8, the Patient Record Regulations §§ 4- 8, the Health Personnel Act §26 and the administrative decision.
The administrative decision constitutes the legal basis for Helseplattformen AS's processing of personal data to facilitate the provision of health services concluded by the health service providers. This facilitation includes i, a. creation and management of your HelsaMi user.
5 Categories of personal data processed
When using HelsaMi, Helseplattformen may process the following information based on the administrative decision:
• Basic information about you, including your name, gender, age, national identification number, and contact information
• Setting options that control the use of the services at HelsaMi
• Photo on your profile. You can select an existing photo on you device or take a photo in HelsaMi
• Technical information about your device and internet connection
• Powers of attorney you have granted or received
• Login information
• Your vaccines
• Your test results
• Your referrals
• Your allergies
• Your letters from the health establishments
• Your health contacts
• Your personal notes
• Upcoming and previous appointments
• Temporary logging of technical information and your name during video consultations
• Other health information in your patient record that are made available to you
• Incomplete applications for municipal health care services
• Other documents or attachments you upload as part of your communication with the health care sector in HelsaMi
6 Storage time and deletion of user account
You may in some cases correct and delete the information you have uploaded to HelsaMi. If such correction and deletion is not possible in HelsaMi, you can contact us for correction and deletion as mentioned in section 8. Backups are stored at Helseplattformen for up to 14 days. The backups are only used to restore the service in case deletion by error.
When deactivating a user profile, the personal data related to your user profile will be unavailable.
Profile photos you have uploaded to HelsaMi that already exists on your device, are stored as a copy in your app-private storage on your device. This is an area on your device where files related to your use of programs/applications are stored. Files in the app-private storage assigned to your use of HelsaMi can not be accessed by other programs/applications. If a new photo was taken with the camera app on your device, the photo you took is first saved on your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete HelsaMi, the copy of the photo is deleted from the app-private storage. The photo saved to your camera app remains available in your camera app.
Documents you choose to view in HelsaMi, will be stored as a copy in app-private storage. The temporary copies are deleted when you close your session on HelsaMi.
Information obligated for recording in patient records, will be recorded, and stored in accordance with Norwegian health legislation. Your personal data stored in patient records will be stored until it is presumed that it is no longer of use for healthcare, pursuant to section 25 of the Patient Records Act. The information is then preserved in accordance with the Archives Act or other legislation.
When the death of a user is recorded in the medical records system, the deceased's consent to the services will be deemed as withdrawn and the account will no longer be accessible. Any other person authorized to use will also lose access to the account.
7 Access to personal data in HelsaMi
Authorized technical personnel, who do regular operational work on the technical solution, will generally not have access to your personal data. In certain situations, in connection with error correction or operational disruptions, dedicated operational personnel may have access to your personal data. Such access will only take place within very strict security routines and the operating personnel are required to keep a separate log of when and why such access has taken place. Data processor agreements have been entered into with all relevant subcontractors and all personnel must sign a declaration of confidentiality to be authorized.
HelsaMi is structured according to current industry standards for information security in the healthcare sector (the "Norm"), which, among other things, sets strict requirements for access control and secure login. Routines and measures have been established at various levels to ensure that unauthorized persons do not gain access to your personal data, and that all processing of the data otherwise takes place in accordance with applicable law. All information about you will be stored on secured storage devices.
You will have access to a log of healthcare personnel who have opened your patient record in HelsaMi. The log includes the names of healthcare personnel or other personnel who have accessed your patient record. The time and date of access will be available to you, but there may be restrictions during active treatment at an institution or hospital. You will not be given detailed information about who has had access to specific health information, such as who has opened which journal notes.
8 Your rights
The privacy regulations and health legislation give you several rights that you can exercise in various ways, including:
• To request that the personal data registered about you is corrected or deleted
• To request access to the personal data registered about you
• To request that access to your patient record is restricted to specific health care professionals or personnel
• To launch a compaint to the Norwegian Data Protection Authority
If you have an account on HelsaMi, you can exercise these rights by using the chat function there. You also have functionality in HelsaMi that allows you to correct or delete certain information yourself. You can also contact Helseplattformen AS during our opening hours on telephone number 72 88 37 97 or contact the health service provider that provides services to you.
9 Exchange of information and use of subcontractors
Helseplattformen exchanges information with Helsenorge.no. This is done to integrate the two portals for certain functionalities. Currently, this integration applies to an overview of appointments and letter exchanges.
As part of the functionality in HelsaMi, you will be able to communicate with public entities. Personal information in HelsaMi may be shared with these entities to the extent necessary to provide health care to you, or if such disclosure is required by law. Helseplattformen also collects basic information about you from national and public registers that are made available to you in HelsaMi.
HelsaMi is a service provided by Epic Systems Inc. Epic will only process personal data in HelsaMi if it is necessary to provide technical support and error correction.
As part of Helseplattformen as a service, there is limited integration between HelsaMi and other programs in Helseplattformen. In connection with this, basic information about you may be transferred to these programs, including e.g. video service provided by Norsk Helsenett, which is used to conduct video consultations that can be initiated through an invitation in HelsaMi, by text message, or e-mail. The personal data is stored in the video service in short intervals and is only used in connection with support and error correction.
10 HealthKit and Google Fit
If you choose to use HealthKit and Google Fit, HelsaMi can receive health information from these applications on mobile so that it can be shared with healthcare professionals. No information is provided by HelsaMi to HealthKit and Google Fit, or other software activated by HealthKit or Google Fit.
11 Transfer of personal data out of the EEA
All your personal information is stored and processed within the EEA. In extremely rare cases, support staff from Epic may, through remote access, gain temporary access to personal data from countries outside the EEA to provide technical support and error correction. Such remote access is regulated by a transfer agreement (EU Standard Contractual Clauses), and sufficient guarantees have been established in line with the requirements of the GDPR. This ensures that the information is given the same protection as if it were handled by personnel in Norway.
12 Research projects
In HelsaMi, you as a user can choose whether you want to be contacted or not about participating in research projects. Helseplattformens computer system searches patients' medical records to see if residents meet established criteria for participating in research studies. If the resident has chosen to set his or her preference to "do not contact", he or she will not be contacted to participate in research projects. If the resident does not choose a preference, he or she may be contacted. Your preference in HelsaMi is not a consent to participate in research projects.
HelsaMi uses only necessary cookies that provide basic functionality in the services, such as page navigation and user authentication. The services cannot function optimally without these cookies. See an overview of our necessary cookies.
14 For Android Users – Required Google Play Disclosures for Certain Health Apps
HelsaMi is subject to Google’s COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available in the Play store.
• HelsaMi has access to, collects, uses and shares information as described in section 5. Relevant parts of this information may be processed for purposes associated with COVID-19. Technical information and other irrelevant information, including information about using a microphone for navigation in the app or using a camera roll to add a profile picture to HelsaMi, will not be processed in relation to COVID-19 information.
• HelsaMi has not been developed specifically for use related to COVID-19. In HelsaMi you will have access to COVID-19 vaccination information, test results, and documents with information related to diseases. You can use this information of your choice in the same way as other available information in HelsaMi.
• Through HelsaMi you can participate in video consultations with health professionals in relevant healthcare organizations. Helseplattformen AS facilitates the implementation of such consultations. No personal information about COVID-19 will be stored in the technical solution for video consultation, but the health professionals will be able to document relevant information in your patient record.
• HelsaMi is not an infection tracing app. In HelsaMi there is no tracing of COVID-19 cases.