Unique requirements for social and healthcare information systems in Finland
Overview of the requirements
Finland stands out with specific registration requirements for information systems used in social and healthcare services. In Finland, certain information systems used in social and healthcare services must adhere to specific registration and operational requirements as outlined in the Finnish Client Data Act (703/2023) introduced last year.
Such information systems cover client information systems for social welfare, patient information systems, as well as software used in laboratory and imaging systems that process patient-related information. Information systems that store other than actual client documents in national information system services (Kanta services) would also fall within the scope. Such systems would include, for example, information systems intended for the creation and storage of certificates and statements in Kanta services. The background for these requirements is to ensure that all systems handling sensitive patient and client data meet high standards for functionality, security, and interoperability.
The regulations and instructions issued by Finnish public authorities are available only in Finnish and partly in Swedish, which poses challenges for foreign service providers in understanding their obligations and staying informed about potential changes in the requirements. However, also foreign companies aiming to enter the Finnish market must understand these requirements to comply with Finnish laws and successfully sell their solutions to both private and public social or healthcare service providers.
Mandatory registration
Beyond meeting these high standards, a social welfare and healthcare information system must be registered with the National Supervisory Authority for Welfare and Health (hereinafter “Valvira”) before it can be commercially used in Finland. Once registered, the system details must be kept up to date. The responsibility for registration and updating the data in the register falls on the information system service provider. When an information system supplier registers a system with Valvira, they assume responsibility for ensuring that the system complies with the essential requirements relevant to its intended use throughout its production lifecycle.
Information systems are categorised into two main categories (and certain subcategories) based on their characteristics, each subject to varying levels of functionality, security, and interoperability requirements. The classification of a system also dictates the registration process, as well as the necessary documents and assessments.
Sanctions for non-compliance
If Valvira discovers that a healthcare provider is using an unregistered system, the primary action is to require the system to be registered before it can continue to be used. Valvira may also impose a conditional fine not only on the healthcare provider but also on the system provider to ensure the registration is completed. If the system supplier fails to register the system within the deadline set by Valvira, despite their request, Valvira may explicitly prohibit the use of the system until the registration is completed. During this period, the healthcare provider is prohibited from using the system under the threat of a conditional fine.
Additionally, Valvira may require the system supplier to issue a press release or inform its clients that a ban or other restrictions have been imposed on its system. The information that the system is not registered can lead to the termination of contracts and/or claims for damages. In the context of public procurement, a tenderer may be excluded from the tender if the contracting authority becomes aware that the system is not registered. Such a tenderer is likely to be excluded from future tendering procedures.
Contact us, if you need legal advice on these regulatory questions in your company.
