All IT-services for health and hospitals in Norway may be outsourced, inclusive to service providers providing services from outside Norway and the EU/EEA according to report from the Norwegian Directorate of eHealth (NDE), which is a sub-ordinate institution of the Ministry of Health and Care Services.
In a report from the Norwegian Directorate of eHealth (NDE), which is a sub-ordinate institution of the Ministry of Health and Care Services, the conclusion is that all services with regard to IT may be outsourced to private service providers, even if located outside Norway and the EU/EEA.
The report was requested after it was discovered that employees of a service provider had access to health data of more than 2,8 million Norwegians from Bulgaria, India and Malaysia due to outsourcing from one of the four health regions in Norway. The health institutions in the regions were imposed administrative fines by the Norwegian Data Inspectorate, almost at the maximum level that the Inspectorate may impose. The core basis for imposing the fines was the lack risk assessments prior to the outsourcing (see more here – in Norwegian).
Now, the NDE finds that there are no limitations or restrictions in law to outsource IT-services for health and hospitals, regardless the level of services being outsourced (inclusive base operations), provided that a sufficient risk assessment is being performed, that the management deciding the outsourcing is sufficiently knowledgeable on the outsourcing of IT and to enter into contracts with global IT-service providers, that there are a complete record of all personal data being processed (and then outsourced) and that the management is actually engaged in the decisions on the outsourcing.