Skip to main content
Tag

sbys

Ahmet Esad Berktas
In News

Regulation on Health Information Management Systems

regulation-on-health-information-management-systems-sbys

Turkish Regulation on Health Information Management Systems was published in the Official Gazette and entered into force.

The Regulation on Health Information Management Systems (HIMS Regulation) was published in the Official Gazette numbered 31934 and dated 25/8/2022, and entered into force.

Read Regulation

The matters regulated by the Regulation were previously arranged by the General Directorate of Health Information Systems of the Turkish Ministry of Health (MoH) through a Circular No. 2015/17.

Introduction

Health Information Management System Regulation (HIMS Regulation) sets out the procedures and principles related to the rules that service providers must comply with, the procurement processes of health information management systems, their standards, and the determination of registration procedures. HIMS Regulation includes provisions related to the rules that must be complied with by health information management system service providers and those who benefit from this service.

Integrations and standards that HIMS service providers must provide, provisions for imaging service providers, data model, delivery and transfer of data between HIMS service providers, data backup and archiving are regulated.

Administrative and technical measures to ensure the confidentiality and security of personal health data are mentioned. How the log records will be kept, how and on which parameters the inspections will be carried out by the MoH are also among the issues included in the Regulation.

Key Definitions and Concepts

Public institutions and managements of public health facilities receiving HIMS service

AdministrationArt. 4/1-ı

Software known as Health Information Management Systems, utilized by health service providers for clinical, administrative, or managerial purposes, capable of exchanging data with other information management systems, when necessary

Health information management system (HIMS)Art. 4/1-n

Administrations and health service providers receiving HIMS service

HIMS service recipientArt. 4/1-o

The natural or legal person registered and authorized in the Registration of Registry System to provide HIMS service

HIMS service providerArt. 4/1-ö

Minimum Data Model used in HIMS changes and other data transfer processes of recipients, developed by the General Directorate with the aim of ensuring that the tables and fields of the data kept in local databases by health service providers comply with national standards, minimize data losses, facilitate citizens' access to historical data by accelerating adaptation, and ensure the uninterrupted progress of the process

VEMArt. 4/1-t

KTS Application

1

Authorisation Certificate

The HIMS service provider shall designate a personnel possessing an e-Government password to oversee the registration processes, pursuant to the completion of the form delineated in Annex-1.
2

Official Letter

The official letter and the documents requested in the attachment as set forth in Annex-2 shall be prepared by the HIMS service provider. These shall be submitted, either by hand or by post, to the General Document Unit of the Ministry of Health, and a date and reference number shall be procured for the cover letter.
3

Confidentiality Agreement

The "Confidentiality Agreement" as described in Annex-3 shall be executed with the authorized representative of the HIMS service provider whose information and documents are found to be complete, thereby initiating a passive registration on the Portal. The HIMS service provider's authorized representative shall access the Portal using an e-Government password and shall upload the documents as detailed in Annex-4, and update them as and when required.
4

Software Access Test Code

Subsequent to this stage, tests for compliance with data transmission and health informatics standards shall be administered. A "Software Access Test Code" shall be provided for the purpose of the data transmission test. Upon successful completion of the tests, the registration procedures for the HIMS service providers within KTS shall be finalized, and a “Software Access Code” shall be furnished for the purpose of data transmission in the live environment.
5

TSE ISO/IEC 27001

HIMS service provider seeking new registration shall submit the TSE ISO/IEC 27001 certificate, together with the documents necessary for registration.
6

KTS Active List

HIMS service providers registered with KTS shall be publicly announced on the official web page of the Ministry.

KTS Documents

Registry of Registration System (KTS) is managed by the Ministry of Health (MoH), General Directorate of Health Information Systems (SBSGM) in order to be able to operate in health service providers.

The application process is carried out electronically, transactions can be made via Registered Electronic Mail or e-Government. Authorization certificates are issued to HIMS service providers on the active list at KTS.

Original Document List

Official Letter for Application

Click to download the official letter in order to apply for KTS registration.

Copy of Trade Registry Gazette

First and latest copy of the corporate from Turkish Trade Registry Gazette.

Workplace Reg. Number

Document Indicating the Social Security Institution Workplace Registration Number.

Balance Sheet For Three Years

Approved balance sheet for the last 3 years from a tax office or a certified public accountant.

Signature Circular

In order to confirm whether relevant person is authorised to sign or not.

Apostilled Document

This is only needed if the software produced abroad.

17021 Certificate of the Firm

Certificate for Conformity Assessment of the firm issues ISO 27001.

TS ISO/IEC 15504

Certificate for SPICE level 2 (min) or CMMI level 3 (min).

Certificate for Programs

Certificate that could be obtained from the Ministry of Culture and Tourism.

TS ISO/IEC 27001 Certificate

Certificate for Information Security Management.

Non-Disclosure Agreement

You could reach the NDA by clicking to the icon above.

List of Produced Software

Which software would be registered to the KTS?

Information of User

Share information about your software's user(s) such as general practitioner or dentist.

Information of Firm Officials

Use the document to share information about your officials.

HIMS Audit

The Ministry may audit or have the HIMS service provider audited, ex officio or upon complaint. Nevertheless, the Regulation foresees that the audit cannot go beyond the scope of the service provided by the responsibility of the HIMS service provider.

In the remote or on-site audits, audits are conducted on the following matters:

If the deficiencies identified during these audits are not remedied within a certain period of time, relevant HIMS service provider will be placed on the passive list and this process may ultimately result in complete removal from the list.

Existence

Existence and uniqueness of HIMS in order to avoid legal complications.

Workflows

Conformity with the workflows and business rules as determined by the SBSGM.

Integration

Data transmission with integration into MoH's central data systems.

Standards

Compliance with the standards as determined by the SBSGM.

VEM Version

Compatibility with the current VEM version and data transfer capability.

Registration

The registration status of the HIMS service provider to KTS.

Data Protection

Compliance with personal data protection legislation and information security regulations.

Security

If deemed necessary, security and penetration tests conducted for HIMS.

Enforcement

Except for Articles 17 and 20, the provisions of the Regulation have come into effect on the date of 25/8/2022, when the Regulation was published in the Official Gazette. On the other hand, Article 17 (Event and trace logs) is on effect from 25/8/2023 and Article 20 (Competency score) is on effect from 25/4/2024.

Dates

25/8/2022
HIMS Regulation entered into force
25/8/2023
Article 17 (Event and trace logs)
25/4/2024
Article 20 (Competency Score)

Article 17 (Event and trace logs)

1- HIMS service recipients shall be obliged to retain their SAMILOG records for no less than five years, and all other records for no less than two years, within their proprietary servers.

2- SAMILOG records pertaining to AHBS shall be conserved within the database in such a manner as to preclude alteration via AHBS.

3- All modifications effected by users at the database level, inclusive of data addition, data deletion, data modification, and all transformations enacted upon database objects, shall be preserved.

4- All systems engendering event and trace logs shall be synchronized by means of a time server to be furnished by the HIMS service recipient, for the express purpose of engendering uniform time information throughout the system.

5- Event and trace logs shall be safeguarded against unauthorized access, erasure, and modification. The event and trace logs so generated shall be retained by affixing a signature through a qualified time stamp, as provided by either resident qualified electronic certificate service providers within Türkiye or by SBSGM.

HIMS Regulation

Unofficial English Translation of HIMS Regulation

Download

About Us

Berktas Legal is based in Istanbul and providing state-of-the-art counselling services on the intersection of law, information technology and health domains, specifically on protection of personal health data.

Address

FSM Mah. Poligon Cad.

Buyaka 2 Sitesi Kule: 3

No:8C/1, Umraniye

Istanbul, Turkiye

Contact

T: +90 (216) 2259483

E: [email protected]

© 2025 | Berktas Legal

Legal Notices

Privacy Policy

Cookie Policy