C. 1. Is your organisation formally designated, empowered by law and mandated with defined accountabilities and responsibilities as the responsible National Contact Point for eHealth in Cross-Border Services by a National Competent Authority?

Response

Yes. In October 2019 a new electronic health law was activated. The National Electronic Health Authority (NEHA) is the owner of the Cross-Border Services in Cyprus. Based on this, the NEHA is the National Competent Authority and has the executive power derived from the eHealth LAW (see Annex LAW 1 eHealth LAW – GR, page 11, article 17) to manage the cross-border directive as documented in Annex LAW 2 Cyprus Law for Cross Boarder Health Care. Moreover, in Annex OP 2 Operation and Organizational Structure – GR describes the organizational structure of the CY NCPeH and the supporting departments. The NCPeH has been appointed with an administrative action in a formal and legally binding way by the National Competent Authority. The appointment makes the NEHA responsible for the implementation of the cross border directive, as a National Contact Point that is accountable against all the responsibilities and the obligations as documented in the cross border health care law:

• Annex LAW 2 Cyprus Law for Cross Boarder Health Care): the 2013 Cyprus Law for Cross Border Healthcare, named - 149(Ι)/2013 “ΝΟΜΟΣ ΠΟΥ ΠΡΟΝΟΕΙ ΓΙΑ ΤΗΝ ΕΦΑΡΜΟΓΗ ΤΩΝ ΔΙΚΑΙΩΜΑΤΩΝ ΤΩΝ ΑΣΘΕΝΩΝ ΣΤΟ ΠΛΑΙΣΙΟ ΤΗΣ ΔΙΑΣΥΝΟΡΙΑΚΗΣ ΥΓΕΙΟΝΟΜΙΚΗΣ ΠΕΡΙΘΑΛΨΗΣ ΚΑΙ ΓΙΑ ΣΥΝΑΦΗ ΘΕΜΑΤΑ”.

Annex LAW 2 refers to the Competent Authority and its responsibilities for the provision of the cross border services. More specifically, the main points of the law that empower the competent authority to proceed with the provision of the cross border services are highlighted herein below:

• Page 2: «Αρμόδια Αρχή» σημαίνει τον Υπουργό Υγείας· (οι εξουσίες της αρμόδιας αρχής για την εφαρμογή της νομοθεσίας πηγάζουν από το σύνταγμα άρθρο 58).
• Page 3: «διασυνοριακή υγειονομική περίθαλψη» σημαίνει την υγειονομική περίθαλψη που παρέχεται ή συνταγογραφείται σε κράτος μέλος διαφορετικό από το κράτος μέλος ασφάλισης·
• Page 7: «υγειονομική περίθαλψη» σημαίνει τις υπηρεσίες υγείας που παρέχονται σε ασθενείς από επαγγελματίες της υγείας προκειμένου να εκτιμηθεί, να διατηρηθεί ή να αποκατασταθεί η κατάσταση της υγείας τους, συμπεριλαμβανομένης της συνταγογράφησης, της χορήγησης και της προμήθειας φαρμάκων και ιατροτεχνολογικών βοηθημάτων·
• Άρθρα 12 Ι δ, 15 Ι δ, 31 (1), (2)
• For the recognition of the prescription Ο Περί Φαρμακευτικής και Δηλητηρίων Νόμος, Article 35, page 34 (see Annex LAW 3 The Pharmaceutical and Poisoning Law).

Furthermore, the new eHealth LAW (Annex LAW 1 eHealth LAW - GR) address the NEHA as the legal, governance and the organizational authority for the NCPeH CY.

Indicative Key Document(s):

National Legislation and Decision of appointment;

• Annex LAW 1 eHealth LAW - GR
• Annex LAW 2 Cyprus Law for Cross Boarder Health Care
• Annex LAW 3 The Pharmaceutical and Poisoning Law
• Annex LAW 4 Organization of Public Health Services Law
• Annex OP 2 Operations and Organizational Structure
• Annex OS 1 CEF INEA Application and Grant Agreement
• Annex OP 6 NCPeH Supporting Documentation, page 92, YY αρ. φακέλου Υ.Υ.12.3.02.100/4 ενεργοποίηση του άρθρου 17, page 93 & MOH Registry Φάκελος 4.2.13.21.1.3/3 (σημ. 4, ημ. 7/2/20209).

Agreements between National Authorities or Organizations responsible for National Contact Points for eHealth and requirements for their inclusion and participation in Cross Border eHealth Information Services;

• Annex OS 2 Bilateral agreement
• Annex OS 3 Third parties service agreements
• Annex OS 4 Contract signed with GNOMON
  • National (e) health structure and the NCPeH's position within it;
  • NCPeH organization / organogram, assigned roles, accountabilities and responsibilities.
• Annex OP 2 Operations and Organizational Structure, see section 7 Structure - NCPeH CY Organogram and Roles
• Annex OS 7 DPA Agreement NEHA and SHSO

O.5 How are the Cross-border eHealth Services positioned and governed within your National health Governance Structure?

Response

The NEHA has the governance and the responsibility of the NCPeH and cross border services. With the collaboration of the MOH and the Department of Information Technologies the NEHA has the governance of the cross-border services. Please find below the corresponding Annexes.

• Annex OP 2 Operations and Organisational Structure

In the cases of a calamity, emergency, data breach etc., the procedures followed are documented in detail in:

• Annex OP 7 Business Continuity Procedures NCPeH CY

O. 6 How is your National Infrastructure (NI) organised and assigned appropriate roles and responsibilities to provide the planned clinical documents as NCPeH Country A for Patient Summary and ePrescription and as NCPeH Country B for eDispensation?

Response

The above responsibilities are documented in:

• Annex OP 2 Operations and Organisational Structure, see sections: 5 Patient Registration for Service, 6 Procedures, 7 Structure - NCPeH CY Organogram and Roles and 8 Scope of Service
• Annex OP 5 NCPeH DPIA, see section 6.2 Responsibilities

Patient Summary and ePrescription are created upon patient's request and consent.

The doctor is responsible to fill in and upload the data on the NCPeH system through the service portal. Also, the doctor is responsible to retrieve the PS as country B. The doctors have the responsibility to provide the clinical documents. This responsibility is derived from the cross-border law (see Annex LAW 2 Cyprus Law for Cross Boarder Health Care, articles 12 Ι δ, 15 Ι δ, 31 (1), (2)). This responsibility was assigned to the doctors from the NCPeH CY Steering Committee appointed by the competent Authority for the execution of the project (see Annex OP 6 NCPeH Supporting Documentation, meeting minutes 8/1/2019, page 38). A notification letter was sent (see Annex OP 6 NCPeH Supporting Documentation, date 14/01/2019, page 75), with instructions for the compliance with the cross border services. An initiation visit was carried out at the Famagusta General Hospital, where the doctors (and the administration) were presented and briefed for their responsibilities regarding the cross border services. Furthermore, additional hands on training will be provided as needed. Moreover, a DPA agreement between the NEHA and the SHSO was signed. See Annex OS 7 DPA Αgreement NEHA and SHSO.

Hospitals are obliged by law to cooperate and provide to the patients the cross border services as it is documented in the cross border law given in Annex LAW 2 Cyprus Law for Cross Boarder Health Care.

C.3 Is the NCPeH established as a legal entity and legally competent to initiate or enter into agreements or contracts?

Response

Yes. The NEHA is the Legal Authority to enter in to agreements and contracts. The Competent Authority will be collaborated with the MOH procurement department . The same applies for the University of Cyprus (UCY). Both NEHA (NCPeH CY) and UCY are legal entities and legally competent to contract/subcontract a service provider. Both organisations have procurement departments (NEHA will be supported by the MOH and UCY) eligible for acquiring products and services when needed. The law prescribing the Regulation and the Procedures for Procurement and Public Contracts is the following:

• Annex LAW 7 Cyprus Law procurement 2016 - 73(I)

See also link for Cyprus Government eProcurement portal: http://www.treasury.gov.cy/treasury/treasurynew.nsf/page21_en/page21_en?opendocument.

C. 4 Does the NCPeH have National arrangements in place authorising the exchange of health information between the NCPeH and the National Health Care Organisations (Hospitals, Health Care Providers, Pharmacies)?

Response

Yes. The authorization of the exchange of health information is the responsibility of the NCPeH. The Competent Authority (ΝΕΗΑ) with the collaboration of the MOH has performed DPIA to address the issues raised in this question, see:

• Annex OP 5 NCPeH DPIA

Moreover, the Competent Authority has appointed according to the project Management Methodology followed for all governmental projects, a project Steering Committee (with the responsibility to implement and monitor the project).

C.5. Has the NCPeH or the designating authority an appointed legal responsible to ensure that legal aspects affecting the NCPeH are appropriately managed by the NCPeH?

Response

Yes. The legal responsible for all the Governance Departments, Ministries and Authorities including NEHA is the Attorney General of the Republic of Cyprus. The Attorney General is responsible for providing legal advice to all Cyprus Public and National Authorities and Organisations, review legal documents and legal vetting law proposals.

Despo Olympiou (see Annex OP 2 Operations and Organisational Structure, section 7 Structure - NCPeH CY Organogram and Roles) was authorized by the Chief Medical Officer of MΟH, as the person responsible for the communication with the Office of the Attorney General.

Furthermore, it is noted that one member of the Board of Directors of NEHA as required by the NEHA Law should be a lawyer.

C.6. Has the NCPeH appropriate procedures in place to ensure that relevant legislation and regulations are collected and understood by the NCPeH personnel handling relevant information and/or systems?

Response

All relevant legislation and updates are documented in:

• Annex OP 2 Operations and Organisational Structure, sections 3.2 Relevant legislation and 3.3 All Relevant Legislation concerning and monitored by the Competent Authority

Also, in the public sector, the guidelines to the competent department for the execution of the project apply (http://www.treasury.gov.cy/treasury/treasurynew.nsf/page21_en/page21_en?opendocument and http://www.treasury.gov.cy/treasury/treasurynew.nsf/page07_gr/page07_gr?opendocument).

C. 6-1 [C.12] Are there any applicable legal arrangements used by the NCPeH for ensuring the protection of Cross-Border Health Information coming from other Member States other than those in the Agreement?

Response

There are not any restrictions in information exchange of healthcare data between Cyprus and EU countries. Furthermore, the articles of the cross-border law (see Annex Law 1 article 17 and Annex Law 2 articles 12 Ι δ, 15 Ι δ, 31 (1), (2)) support this. Special reference is also made to article 26(2) (see Annex Law 1) which documents the right of reimbursement for telemedicine services. In addition, it is noted that the Multi-Lateral Agreement has been sent to the Attorney General for consultation. No restrictions for signing the agreement were given. (see Annex OP6 NCPeH CY Supporting Documentation, Attorney General response, dated 25/04/2017, page 62). It is also noted that at the eHealth Network meeting all the countries accepted the Multi-Lateral Agreement. Furthermore, the same rules apply for EU citizens as is the case of Cypriot citizens using the health services in Cyprus. They are registered, authorized and authenticated with an identical process.

C.7 Has the NCPeH a procedure ensuring an impact assessment for legislative and regulatory changes?

Response

The procedure followed by government is the standard internal methodology of the government for project execution and it can be found at: http://www.treasury.gov.cy/treasury/treasurynew.nsf/page07_gr/page07_gr?opendocument In all cases, the competent authority, or the council of ministries or the parliament can request impact assessment and or cost-benefit analysis. This mostly depends on the complexity and the size of the project. NEHA follows standard procedures on every process regarding law and regulation enforcement and compliance. All departments are notified formally for the changes and the head of the department allocates responsibilities to various subordinates to enforce the relevant changes. Furthermore, it is noted that the government has an official process for impact assessment in case of reforms: http://www.reform.gov.cy/en/growth-reform/better-regulation/impact-assessment-of-new-legislation (password needed)

C. 8 If applicable: Is your NCPeH organised as a Singles Instance (1 Central) or does your national authoritiy or organisation responsible for NCPeH rely on any Regional Contact Points (RegCPeH)?

Response

The Cyprus NCPeH is organized as a Single Instance (1 Central).

• Annex TE 1 NCP CY Technical deliverable – Part A

C. 9 Has the NCPeH clearly identified the data controller and data processors in accordance with the Regulation (EU) 2016/679 (aka General Data Protection Regulation) for the processing of data by the NCPeH?

Response

Yes. In the case of the NCPeH services the Data Controller is the NEHA and the Data Processors are: UCY, SHSO (State Hospital Service Organisation), Pancyprian Medical Association and Pancyprian Pharmaceutical Association. See:

• Annex OP 5 NCPeH DPIA, section 6 Personal Data
• Annex OS 5 Data Protection Agreement between NEHA and UCY. For Data Protection Agreement between NEHA and SHSO (State Hospital Service Organisation) there is an agreement signed by the CEO of SHSO for the implementation of the service in the hospitals as planned before the COVID-19 pandemic. At the moment, hospitals are not willing to support the cross border services due to the pandemic priority.

C. 10 Do the NCPeH employees and contractors comply with confidentiality and non-disclosure requirements?

Response

Only doctors have access to health-related data in the NCPeH system and the Pharmacists for the dispensation (see LAW 138 (I) 2001 article 23(1):

• http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/CBD480CDE52BEF21C225820A004BBEB3/$file/%CE%9F%CE%B4%CE%B7%CE%B3%CE%AF%CE%B1%20%CE%B3%CE%B9%CE%B1%20%CF%87%CF%81%CF%8C%CE%BD%CE%BF%20%CE%B4%CE%B9%CE%B1%CF%84%CE%AE%CF%81%CE%B7%CF%83%CE%B7%CF%82%20%CE%B4%CE%B5%CE%B4%CE%BF%CE%BC%CE%AD%CE%BD%CF%89%CE%BD%20%CF%85%CE%B3%CE%B5%CE%AF%CE%B1%CF%82%202018.pdf.

NCPeH employees are obliged under the public service law to follow strict confidential and non-disclosure criteria (see Annex LAW 6 Public Service Act of 1990, article 67). The same applies to UCY employees (see also Annex OS 2 Bilateral agreement, section 10). Furthermore, all suppliers are obliged with confidentiality and non-disclosure agreement with the contracting authority (see Annex OS 3 Third parties service agreements and Annex OS 5 Data Protection Agreement between NEHA and UCY).

• Annex LAW 5 Cyprus Law for Doctors 1967, article 9 and 46
• Annex LAW 6 Public Service Act of 1990, article 67
• Annex LAW 1 eHealth LAW - GR
• Annex OS 2 Bilateral agreement, section 10
• Annex OS 3 Third parties service agreements
• Annex OS 5 Data Protection Agreement between UCY and NEHA

C. 11 What measures has the NCPeH in place to ensure compliance of its suppliers with contractual provisions for data protection and information security?

Response

For each contract signed by the NEHA, UCY and MOH for NCPeH, a project manager and a stage manager are assigned for each contract and they are responsible for the follow up and making sure that measures are in place and compliance checks are performed. It is a common practice in the government project management Methodology Paragraph 7.4.4 (For this reason the MOH has signed the bilateral agreement with the UCY). See also link: GUIDE TO BEST PRACTICES FOR THE CONTRACT AND EXECUTION OF PUBLIC CONTRACTS Public Procurement Directorate – Report on PROJECT MANAGEMENT - http://www.treasury.gov.cy/treasury/treasurynew.nsf/page07_gr/page07_gr?opendocument.

• Annex LAW 1 eHealth LAW - GR
• Annex OS 4 Contract signed with GNOMON
• Annex OS 2 Bilateral agreement
• Annex OS 3 Third parties service agreements
• Annex OS 5 Data Protection Agreement between UCY and MOH
• Annex OS 6 DPA NΕHA and UCY

C. 13 Has the NCPeH a procedure in place that assures that ONLY authorised persons have access to Cross Border related data?

Response

ONLY authorized personnel have access to cross-border related data. The credentials for the authorized personnel are given personally upon provision of ID card. Only doctors and pharmacists have access to health-related data. See:

• Annex OP 2 Operations and Organisational Structure, see section 4.2 Secured Access/Authorisation and Appendix I: Guidelines for Registration in Cross-Border Care Services (Doctors) and Appendix II: Guidelines for Registration in Cross-Border Care Services (Pharmacists)
• Annex LAW 8 Data protection Law, GDPR
• Annex OP 5 NCPeH DPIA
• Annex OS 6 DPA NeHA and UCY

C. 14 Does the NCPeH ensure the provision of a PIN (patient information notice) in accordance to the GDPR requirements?

Response

The NCPeH has in place a procedure to inform citizens about their rights based on the GDPR requirements. The health professional informs the citizen in both cases, for the PSA and PSB services but also for the eP/eD A and B services and the citizen signs the PIN. The hard copy signed PIN is kept in the health professional premises. PIN was approved by the Commissioner for Personal Data Protection (see Annex OP 6 NCPeH CY Supporting Documentation, page 64, dated 09/07/2019). See

• Annex OP 8 NCPeH CY Patient Consent and PIN
• Annex OP 5 NCPeH DPIA, section 6 Personal Data
• Annex OS 6 DPA NeHA and UCY

O. 12 Has the NCPeH a dissemination/education plan for beneficiaries (Health Professionals, Citizens)?

Response

Yes, there is a dissemination and education. Moreover, the UCY team in collaboration with NEHA and MOH has already performed the training of the personnel involved in the service provision.

• Annex OP 4 NCPeH Dissemination, education and training plan

O. 13 How does the organisation define and verify the necessary roles and responsibilities, staff competencies and, if applicable, security clearance requirements for the staff that has access to sensitive assets and operates the NCPeH?

Response

All roles and responsibilities are defined in the deliverables. Furthermore, job descriptions of the personnel are provided. Clearance requirements of the personnel are already in place and described, given that the service is provided in an already secure and computerized environment where information security policy and relative roles apply.

• The relevant recruitment and selection process along with the entry requirement examinations, medical records, criminal records are described in http://www.cylaw.org/nomoi/enop/non-ind/1990_1_1/full.html, articles 30-40 and in Annex LAW 1 eHealth LAW - GR

The NCPeH is under the responsibility of NEHA. Moreover, the NCPeH operates with existing MOH staff and the assigned roles and responsibilities are described in the annexes. Security clearances are also described in the annexes.

• Annex OP 2 Operations and Organisational Structure, section 7 Structure - NCPeH CY Organogram and Roles and Appendix VI: Roles and Service Plans
• Annex OP 1 Service Operation Plan, section 3 section 3 Service Operation Functions

End of Legal and organisational Domain