The rules for accessing data can vary between different data sources. The Norwegian health legislation [helselovgivningen] distinguishes between data from so-called "treatment-oriented health registers" and other health registers. Therefore, the project leader must decide whether the desired data should be obtained from a source that is legally considered a "treatment-oriented register" or another health register.
Projects that use machine learning and artificial intelligence should familiarize themselves with the Directorate of Health's guide before carrying out the activities addressed by this guide.
Patient records and other treatment-oriented health records
The term "treatment-oriented health register" is defined as follows:
«patient record and information system or other register, index or similar, where health information is stored systematically, so that information about the individual can be found again, and that shall provide a basis for decisions about health care or the administration of health care for individuals». (Patient Records Act § 2 d)
[«pasientjournal- og informasjonssystem eller annet register, fortegnelse eller lignende, der helseopplysninger er lagret systematisk, slik at opplysninger om den enkelte kan finnes igjen, og som skal gi grunnlag for helsehjelp eller administrasjon av helsehjelp til enkeltpersoner». (pasientjournalloven § 2 d)]
Establishing whether your project should use data from patient records or other treatment-oriented registers:
The patient journal record includes all information that is registered about the patient because it is considered to be relevant and necessary information in connection with health care, as well as information that is necessary to fulfill statutory reporting obligations. The journal can contain free-text notes, test results, photos and other information.
Within an organization, the information that makes up the patient's record can be stored in several information systems, such as:
- main record (normally kept by healthcare personnel who provide healthcare in meetings with the patient).
- digital patient cards.
- various specialist systems (systems that take care of special functions within one or more specialities, and which have been specially developed for the registration and processing of health information related to the specific speciality, e.g. anesthesia records, curve systems, treatment plans and the like).
- regional laboratory solutions and radiology systems (RIS/PACS).
Information in patient administrative systems is also legally considered part of the patient's record.
Examples of different treatment-oriented registers, which are also covered by the same rules, are the drug register, image register and discharge summary registry.
Purpose limitation for the use of data from treatment-oriented health registers
If the project is to use data from a treatment-oriented register, and consent is not to be obtained from the individual, an exemption from the duty of confidentiality must be applied for according to the rules in the Health Personnel Act. According to the Health Personnel Act, access to data from treatment-oriented health registers can be requested for specific purposes. This is described in more detail under [clarify purpose].
Health registers regulated by the Health Register Act (non-processing registers)
In these registers, health information is stored with a view to purposes other than the provision of health care.
The term "health register" is defined as follows:
«any structured collection of personal data that is available according to special criteria, and that contains health information »(Health Register Act § 2)
[«enhver strukturert samling av personopplysninger som er tilgjengelig etter særlige kriterier, og som inneholder helseopplysninger» (helseregisterloven § 2)]
A common type of health register is the medical quality register (local or national register). Some health registers are regulated by their own regulations. For example, the Cancer Registry [Kreftregisteret] is regulated through the Cancer Registry Regulations [kreftregisterforskriften]. In such cases, it will be clear from the regulations in question for which purposes data from the register can be used.
Information in the health registers can be used for the purposes described in Section 3 of the Health Register Act: statistics, health analyses, research, quality improvement, planning, management and preparedness in the health and care administration and the health and care service. Not sure how the project's purpose should be defined? See guidance here.
Do your project plan to use data from health registers regulated by the Health Register Act?
From 15 March 2023, applications for dispensation from confidentiality and/or access to health information must be addressed to the Health Data Service, in the case of the following health registers:
- Norwegian Cause of Death Registry [Dødsårsaksregisteret]
- Cancer Registry of Norway [Kreftregisteret]
- Medical Birth Registry of Norway [Medisinsk fødselsregister]
- Norwegian Surveillance System for [Meldingssystem for smittsomme sykdommer] (MSIS)
- Norwegian Immunisation Registry [System for vaksinasjonskontroll] (SYSVAK)
- Norwegian Patient Registry [Norsk pasientregister] (NPR)
- Norwegian Cardiovascular Disease Registry [Nasjonalt register over hjerte- og karlidelser]
- Norwegian Adverse Drug Reaction Registry [System for bivirkningsrapportering]
- Norwegian Registry for Primary Health Care [Kommunalt pasient- og brukerregister] (KPR)
- Norwegian Prescribed Drug Registry [Legemiddelregister]
- Norwegian Health Archives Registry [Helsearkivregisteret]
The list was last updated on 19 March 2023.
The application for dispensation from confidentiality and/or access to health information is sent to the Health data service [Helsedataservice] by logging in to helsedata.no.
For data from other health registers than those mentioned in the list above, the project must apply to the Norwegian Directorate of Health for access to data according to the rules in the Health Register Act chapter 3. The purpose of the project must be within the scope described in the relevant register's articles of association.
- If there is no consent, an application must be made for a dispensation from the duty of confidentiality in accordance with the Health Register Act [helseregisterloven] § 19. The rules for the dispensation depend upon the purpose for which the information is to be used, see [clarify purpose].