The definitions mentioned in Federal Law No. 2 of 2019 referred to shall apply to this Resolution. Other than that, the following words and expressions shall have the meanings ascribed thereto unless the context requires otherwise:
Approval: Acceptance expressed by signing on paper or by electronic means.
The Person's Identification Data: Data or information that indicates the identity of a person, whether individually or combined with other data or information.

1. The health authorities concerned with joining the Central System shall be committed to the following:

a. To comply with the work rules of the Central System mentioned in Federal Law No. 2 of 2019 referred to and the decisions issued in implementation thereof.
b. To adhere to the deadline specified for it to join the Central Database, as determined by the Ministry in coordination with those authorities.
c. To pay any costs associated with connecting and networking with the Central System.
d. To comply with the rules regulating the national registry regarding digital health standards in relation to necessary standards, requirements and procedures when dealing with the Central System, including:

1) Personal health information required to be provided by the health authorities and the relevant entities.
2) Adherence to the mechanism and the exchange of personal health data and information with the approved health authorities and the relevant entities to protect them and ensure their confidentiality.
3) Mechanisms to protect the confidentiality of health data and information.

2. The Ministry has the authority to audit personal health data and information provided by the relevant entities for the purpose of verifying their authenticity, quality, and compliance with national digital health data standards.
3. The Ministry, in coordination with other health authorities and the relevant entities, shall determine the mechanism and procedures for ensuring the quality of personal health data and information.
4. Any other requirements or procedures related to joining the Central System are determined by a decision of the Minister after coordination with other health authorities and relevant entities.

The Ministry, in cooperation with other health authorities and the relevant entities, shall form a joint committee to coordinate on matters related to the implementation of the provisions of Article 2 of this Resolution. This committee may form sub-committees whenever it deems necessary.

1. Subject to the provisions of Federal Decree-Law No. 4 of 2016 referred to and Cabinet Resolution No. 40 of 2019 referred to, health authorities and the relevant entities shall determine the persons authorised to enter the Central System, on an as-needed basis, and depending on the professional role of determining the level of access to central system data, in addition to his role in patient care.
2. The health authorities and the relevant entities adhere to the privacy and safety standards, and any controls established by the Ministry in coordination with other health agencies, including periodic auditing procedures to remove or modify the features or powers of authorised persons according to work requirements.
 

No person may use the central system unless authorised to do so by the health authorities or the relevant entities, and in accordance with the following controls:
1. The Health Authority shall grant the permission to the following:

a. The persons who work for it under an employment contract, and the nature of their work requires the use of the Central System.
b. Persons who work through service outsourcing companies under contracts concluded with these companies, or experts and consultants who are hired on casual basis, or the agencies and entities of the Health Authority. In all cases the nature of their work or the tasks entrusted to them requires the use of the Central System.

2. The authority concerned shall grant the permission to the persons who work for it, provided that the nature of their work requires the use of the Central System, and the use shall be within the limits of the actual need required by the work, and when granting the permission, the authority concerned shall provide the Health Authority with the authorised persons.
3. The Health Authority and the Relevant Entity shall determine, as appropriate, the persons authorised to enter the Central System remotely.
4. The Health Authority and the Relevant Entity shall, as appropriate, take the necessary measures to ensure that the authorised person is unable to enter the Central System after the end of his service with it.
5. Individuals may give access to their personal health information to other persons of their choice, provided that they shall be registered as users in the Central System’s database, in a manner that does not conflict with any other legislation issued in this regard.
6. Any person may request to prohibit or restrict access to his personal health information, in accordance with the requirements and controls set by the Ministry in coordination with other health authorities.

Using the Central System and exchange of health data and information shall subject to the following conditions and controls:
1. Suppliers, entities and persons authorised to access any of the information and communication technology systems shall agree to a pledge not to disclose the health data and information that was accessed through the use of the Central System.
2. The disclosure of the patient's health information to any party without the consent of the patient or his representative shall be legally prohibited, unless disclosure of this information is permitted in accordance with the legislation in force in the state.
3. In case of an emergency and if the patient's consent cannot be obtained, health care providers may examine the patient's file for health care purposes and shall provide reasons for examination.
4. The patient's file should not be left open unattended, and computers or any other electronic means should be switched off when not in use.
5. Any suspicious activities that would affect the confidentiality of data and information shall be reported.
6. It is prohibited to send an email or use any other electronic means of communication that contains patient information unless it is encrypted.
7. In the event that information is entered incorrectly or if some information is not entered, the error should be modified or the requested information should be completed while maintaining the original entry for quality and auditing purposes.
8. When modifying any data, the reason for the modification should be entered and the information that was modified and the date of the modification shall be stored, along with the electronic signature of the person who made the modification.
9. Tracking the changes to information and data should be ensured once entered or ratified.
10. Federal health data and information and health statistics should not be published nationwide without the approval of the Ministry.
11. The consent of the patient should be obtained in the event of the publication of his identity data, and the list of the person's identity data shall be determined by a resolution of the Minister in coordination with the other health authorities.
12. The data, information and statistics to be published should comply with the standards set by the Ministry in coordination with other health authorities.
13. All necessary steps should be taken to protect patients ’personal data and information from loss, misuse, unauthorised access, disclosure, modification, or destruction.
14. The user authorised to enter the Central System shall have his own username and password.
15. The username and password shall not be disclosed to any other user or any other party.

Storing health data and information by means of information and communication technology should be according to the following controls:
1. The central system should include all patient files in the state, and the files should contain data and information determined by the Ministry in coordination with other health authorities.
2. The patient may choose to withdraw from the Central System, in such case, data and information can be kept unidentified.
3. Health data and information that has exceeded the preservation period may be archived for research and public health purposes, while maintaining the patient privacy.
4. A backup of health data and information should be taken safely, this data and information should be recoverable. The backups should be reviewed and updated on regular and continuous basis.
5. The Ministry, in coordination with health authorities, shall develop one or more plans to manage risks and ensure the continuity of the work of the Central System.
6. The Ministry, in coordination with health authorities, and through specialised committees, should set locally established global standards regarding the confidentiality, quality and validity of health data and information in a manner that does not violate the legislation in force in the state.
7. The Ministry and the health authorities shall carry out periodic audits to ensure that standards and procedures are implemented by the relevant entities, with regard to the validity, integrity, quality and confidentiality of data and information.
8. Health data and information should be stored by information and communication technology means, and according to the regulations for maintaining medical records and archiving in force in each health facility, provided that it shall be compatible, at a minimum, with the controls set by the Ministry in coordination with other health authorities.
9. Periodic tests should be taken to assess the effectiveness of the mechanism for retrieving health data and information, and to detect any malfunctions in the Central System and any improvements that can be made to it.

The Minister, in coordination with health authorities, shall issue the necessary decisions to implement the provisions of this Resolution.

Any provision that violates or contradicts the provisions of this Resolution shall be repealed.

This Resolution shall be published in the Official Gazette, and it shall come into force six months after the date of its publication.