THE MINISTRY OF HEALTH
Circular No. 54/2017/TT-BYT dated December 29, 2017 of the Ministry of Health on criteria for assessment of information technology application at health facilities
Pursuant to the Government s Decree No. 75/2017/ND-CP dated June 20, 2017 defining functions, tasks, entitlements and organizational structure of the Ministry of Health;
At the request of the Director General of Department of Information Technology,
The Minister of Health hereby promulgates a Circular on criteria for assessment of information technology application at health facilities.
Article 1. Scope of adjustment andsubjects of application
1. This Circular promulgates criteria for assessment of information technology (IT) application and provides guidance on determination of levels of IT application at health facilities.
2. This Circular applies to health facilities that have been issued with the operation license in accordance with regulations of the Law on Medical Examination and Treatment.
Article 2. Definitions
For the purposes of this Circular, the terms below shall be construed as follows:
1.“HIS”stands for Hospital Information System.
2.“LIS”stands forLaboratory Information System.
3.“RIS”stands for Radiology Information System.
4.“PACS”stands for Picture Archiving and Communication System.
5. “EMR”stands for Electronic Medical Record.
6. “CDR”stands for Clinical Data Repository.
7.“CDSS”stands for Clinical Decision Support System.
8.“HL 7 standard”stands for Health Level 7 Standard, which is an international standard that provides a framework for the management, exchange and integration of electronic health information between health information systems.
9.“HL7 CDA standard”stands for Health Level 7 Clinical Document Architecture, which is an XML-based document that specifies the structure and semantics of clinical data for the purpose of data exchange between interested parties.
10. “CCD”stands for Continuity of Care Document.
11. “DICOM”stands for Digital Imaging Communication in Medicine, which is the international standard to transmit, store, retrieve, print, process and display medical imaging information.
Article 3. Criteria for assessment of IT application at health facilities
There are 08 criteria groups: infrastructure, management software, HIS, RIS-PACS, LIS, non-functional criteria, information confidentiality and security, and EMR that are provided in the Appendix I of this Circular.
Article 4. Rules for determining levels of IT application
1. Levels of IT application at health facilities are determined according to the summary of criteria for determining levels of IT application at health facilities, which are provided in the Appendix II of this Circular.
2. Objectiveness, accuracy and truthfulness must be ensured.
3. A health facility s IT application is classified into a certain level if it fulfills all criteria in that level. If it fails to meet only one criterion of that level, it shall be classified into a lower level.
Article 5. Guidance on determination of levels of IT application
1. According to Articles 3 and 4 of this Circular, the head of the health facility shall decide to make investment within his/her power and issue the decision on determination of levels of IT application at his/her facility. Where necessary, the head of the health facility shall establish a professional council or hire an independent consultancy to determine levels of IT application at his/her facility.
2. The decision on determination of levels of IT application at health facilities shall be sent to its supervisory authority and the Department of Information Technology - Ministry of Health.
3. The head of the health facility shall be responsible to law and its supervisory authority for determination of levels of IT application at his/her facility, re-determine levels of IT application if the supervisory health authority finds levels of IT application at the health facility are not conformable to the report on levels of IT application.
Article 6. Effect
This Circular takes effect on February 27, 2018.
Article 7. Implementationprovisions
1. Departments, General Departments, Ministry Inspectorate and Ministry Office affiliated to the Ministry of Health:
a) The Department of Information Technology shall take charge and cooperate with the Medical Examination and Treatment Administration in directing, providing guidance and inspecting the implementation of this Circular, and publish levels of IT application at health facilities nationwide on its website (http://ehealth.gov.vn).
b) Ministry Office, Ministry Inspectorate, Departments and General Departments affiliated to the Ministry of Health shall cooperate with the Department of Information Technology in performing state management of IT application within their competence.
2. The Department of Health and health supervisory authorities shall direct, provide guidance and inspect the implementation of this Circular within their power, and submit a consolidated report on IT application by the units under their management to the Department of Information Technology - Ministry of Health in December every year.
3. Health facilities shall determine levels of IT application and submit a report thereon (according to the form provided in the Appendix III of this Circular) to the health supervisory authorities. To be specific:
a) The health facility affiliated to the Ministry of Health shall submit the report on levels of IT application to the Department of Information Technology - Ministry of Health.
b) The health facility under the management of the Ministry of National Defense, Ministry of Public Security and Ministry of Transport shall submit the report on levels of IT application to the Medical Department - Ministry of National Defense, the Department of Health - Ministry of Public Security, and the Transport Health Service Administration - Ministry of Transport respectively.
c) The health facility under the management of the Health Department of the province and health facility whose headquarters is located in the province (except for the facilities specified in Points a and b, Clause 3 of Article) shall submit the report on levels of IT application to the Health Department of the area where the health facility is located.
d) In December, an annual report on IT application shall be submitted to the supervisory health authority.
Difficulties that arise during the implementation shall be promptly reported to the Department of Information Technology - Ministry of Health for consideration./.
For the Minister
The Deputy Minister
Le Quang Cuong
APPENDIX I
CRITERIA FOR ASSESSMENT OF IT APPLICATION AT HEALTH FACILITIES
(Enclosed with the Circular No.54/2017/TT-BYT dated December 29, 2017 of the Minister of Health)
I. Infrastructure group
No. | Criteria | Level |
1 | Computers that must satisfy requirements for IT application | Level 1 |
2 | Local area network (LAN) |
3 | Internet routing |
4 | Dedicated server (application server/database server) | Level 2 |
5 | Server room (fire protection and fighting equipment, temperature and humidity monitoring equipment, access control equipment) |
6 | Supported system software (operating system, database management system) (except for open-source software) |
7 | Firewalls |
8 | Storage devices (storage servers or external storage devices) | Level 3 |
9 | Barcode reader |
10 | Barcode printer |
11 | Storage systems (SAN or NAS) | Level 4 |
12 | Queue management system |
13 | Queue information display |
14 | Electronic notice board (hospital news, health service prices, etc.) | Level 5 |
15 | Mobile devices (tablets, smart phones) | Level 6 |
16 | Hospital surveillance cameras |
17 | Wireless LAN |
18 | Information kiosks (provide information about hospital and medical examination and treatment for patients and their family) | Level 7 |
19 | Hospital network monitoring software |
II. Software management group
No. | Criteria | Levels |
20 | Finance - accounting management | Basic level |
21 | Asset and equipment management |
22 | Human resource management |
23 | Document management | Advanced level |
24 | Health activities direction |
25 | Website |
26 | Internal email |
27 | Training management |
28 | Scientific research management |
29 | Hospital quality management |
III. HIS group
No. | Criteria | Levels |
30 | System administration (User management, configuration management) | Level 1 |
31 | Shared list management |
32 | Receipt of applications for medical examination and treatment |
33 | Outpatient examination and treatment management |
34 | Pharmacy management (drug information) |
35 | Hospital fee management and health insurance premium payment |
36 | Connection to systems of social security offices for payment and settlement of health insurance premiums (XML file) |
37 | Clinical and subclinical indication management | Level 2 |
38 | Subclinical result management |
39 | Inpatient treatment management | Level 3 |
40 | Patient room and bed management |
41 | Patient catering management |
42 | Statistical report |
43 | Physical examination management |
44 | Automatic queue management | Level 4 |
45 | Chemical, consumable and hospital pharmacy management |
46 | Medical equipment management |
47 | Connected basic PACS |
48 | Emergency department/room management | Level 5 |
49 | Operating theater management |
50 | Appointment and follow-up appointment management |
51 | Blood bank management (if any) |
52 | Electronic card-based patient management |
53 | Drug interaction/drug management | Level 6 |
54 | Treatment guidelines management |
55 | Nutrition management |
56 | Prescription, subclinical indication and return of subclinical results through tablets and smart phones |
57 | Professional technical procedure management | Level 7 |
58 | Electronic medical record management |
59 | Voice recognition application accelerating EMR adoption |
60 | Information search (information kiosks) |
61 | Electronic hospital fee payment |
IV. RIS-PACS group
No. | Criteria | Levels |
62 | System administration | Basic level |
63 | PACS server configuration |
64 | PACS workstation configuration |
65 | Indication management |
66 | Management of list of indicated patients |
67 | 2D interface to common medical imaging equipment (CT, MRI, X-ray, DSA, ultrasonography machine) |
68 | Interface to HIS: - RIS receives information from the HIS, RIS transmits the information to the imaging equipment according to HL7 standard. - PACS receives pathological images from the doctor s workstation; - PACS converts DICOM pathological images to JPEG format and transfers them to the RIS, RIS transfers JPEG pathological images to the HIS for archiving to complete medical records; - 2D interconnection between PACS and HIS is established for patient imaging (which means if there is any change to PACS, HIS also undergoes such change and vice versa) |
69 | Imaging result management |
70 | HL7 message and DICOM standard support |
71 | Measurement |
72 | 2D image processing |
73 | 3D image processing |
74 | Exporting DICOM images to CD/DVD using DICOM image viewer or provision of a link to images on website. |
75 | Exporting statistical report |
76 | DICOM image editing and processing | Advanced level |
77 | JPEG 2000 image compression |
78 | DICOM Web Viewer |
79 | Multi-site imaging over the Internet (with mobile device support, such as smart phones and tablets) |
V. LIS group
No. | Criteria | Levels |
80 | System administration | Basic level |
81 | List management |
82 | Laboratory indication management |
83 | Laboratory test result management |
84 | Connection of laboratory information system (issue an order and receive laboratory test results from the laboratory information system) |
85 | Statistical report |
86 | Laboratory specimen management | Advanced level |
87 | Laboratory chemical management |
88 | Interconnection to HIS (receive information from HIS and synchronize laboratory test results with HIS) |
89 | Setting threshold alarms |
VI. Non-functional criteria group
No. | Criteria | Levels | | |
90 | Availability | Easy to understand/use | Basic level | | |
Simple system installation and management | | |
Interface friendly and suitable for existing professional operation procedures | | |
91 | Stability | Output is accurate | | |
The system has an average of less than 10 errors per month for 3 first months of operation. Less than 10 errors per year for 3 next years of operation and less than 3 errors per year for the next years of operation (errors that stop/damage the system) | | |
The average time between two errors must be greater than 4 hours. | | |
92 | Performance | Ability to meet 90% of total online officials | | |
Acceptable processing time (data search, statistical report exporting) | | |
93 | Supportability | Training shall be provided for end users working within the system | | |
Supports should be provided within a maximum of 12 working hours. | | |
94 | Error logging mechanism | Logging all user actions within the system, storing them on the server as the basis for analysis of errors or action process when necessary. | | |
Imposing regulations on logging of errors and error handling process, especially the errors related to security and confidentiality over testing. | | |
95 | Warranty and maintenance | The system is covered by at least a year s warranty | | |
96 | User guide | Providing user documents: system user guide, documents describing system’s professional operations | | |
Providing system administration documents: system installation guide, error code and error handling documents, system operations manual | | |
97 | Personnel | There must be IT officials or IT team. | | |
98 | User support | Remote support. | | |
99 | System development technology | Using popular database systems, giving priority to the database system capable of storing big data | Advanced level | | |
Making use of service-oriented programming and technologies to provide flexibility in selecting technology, platform, providers and users for SOA model | | |
100 | Modularity | The system is divided into independent modules and is capable of adding/removing specific functional modules in a flexible manner without affecting accuracy and operations of entire system. | | |
101 | Availability | Allowing remote access to system through a web browser (popular web browser support, such as Chrome, IE, Mozilla Firefox, etc.) | | |
102 | Stability | Acceptable error is the error that does not seriously damage the system and can be recovered in less than 5 minutes, but there must not be 10 errors per month during operation. | | |
Upon occurrence of a breakdown that suspends operation of the system, the system should recover 70% and 100% of energy within 1 hour and 24 hours respectively. | | |
103 | Supportability | The system is provided with support 24/24. | | |
104 | Receipt, response to and handling of errors | Errors are received and responded in less than 24 hours. | | |
System errors are handled in less than 48 hours. | | |
Instructions for data error handling are provided in less than 72 hours. | | |
105 | Performance | The system should serve all online officials. | | |
The system is access in real time. Response tasks shall be performed in less than 10 seconds. | | |
106 | Reliability | 24/7 online system | | |
Error tolerance | | |
Recoverability | | |
107 | Connection and interconnection | Connecting and sharing data with the health insurance information assessment system data gateway | | |
108 | Connection and interconnection to other information systems | Connecting and sharing data between HIS, LIS, PACS and EMR software and otherhealth information systems | | |
109 | Application of applicable standards | Applying national or international standards (HL7, HL7 CDA, DICOM, ICD-10, etc.) | | |
110 | Copyright | Commercial or open-source software | | |
Licensed software with manufacturer s patches | | |
111 | Software monitoring and updating mechanism | Providing all tools for system operation, monitoring and alarming | | |
All warnings/error/logs shall be categorized/filtered for easy monitoring | | |
System, process and user actions shall be logged | | |
Automatic software update mechanism shall be available. | | |
112 | Personnel | IT Department (comply with regulations of the Circular No. 53/2014/TT-BYT) | | |
113 | User support | Direct user support | | |
Online user support (fixed 24/24 support phone number) | | |
VII. Information confidentiality and security
No. | Criteria | Levels | | |
114 | Control of user’s access to system | Authentication management | Basic level | | |
Session management | | |
User privilege granting | | |
Input control | | |
| | Output control | | | |
Exception control and application logging | | |
115 | Control of user’s access to database | Establishing an account and safe privilege granting policy | | |
Configuring valid IP address restrictions and logging database management system | | |
116 | Actions logging | Data update and data exploitation must be logged | | |
The system shall provide an action history searching function | | |
117 | Antivirus software | Virus database shall be updated on a regular basis. | | |
118 | Copy protection mechanism | Physical storage devices must be prevented from copying data (USB, portable hard drives) | | |
Copy protection software must be installed. | | |
119 | Intrusion prevention system | There must be a dedicated firewall that separates Internet zones, application servers and internal Internet users. Unauthorized intrusions must be prevented. | Advanced level | | |
120 | Regulations on periodic dissemination and instructions for virus prevention measures | Periodic scanning and prevention of malware within the system | | |
121 | Data backup and recovery system | An appropriate plan for backup and recovery shall be formulated. Daily backup is required. | | |
122 | Data/information encryption method | Important or sensitive data can be encrypted by using anti-hacking techniques | | |
The management system shall be provided with a data decryption key. | | |
The user can decrypt data if provided with a data decryption key. | | |
123 | User password encryption method | User password must be encrypted using hash, salt (MD5, SHA) techniques. | | |
124 | Plans for incident prevention and handling | Tests shall be designed to simulate the cyber attack, thereby taking measures for information security incident prevention and handling | | |
125 | Information security procedures | Establishing procedures and regulations to be followed by users and administrators upon receipt and operation of system to strengthen security of the system | | |
126 | Anti-DOS and DDOS attack mechanism | Establishing an anti denial-of-service attack mechanism | | |
127 | Mechanism for issuing warnings about targeted attack on systems of providing services over the Internet | | | |
128 | Integration of digital signatures | | | |
VII. EMR group
No. | Criteria | Levels |
Provision of healthcare services | Basic level |
129 | Management of information on patient past medical history | |
130 | Management of clinical documents |
131 | Indications management |
132 | Subclinical result management |
133 | Treatment management |
134 | Prescription drugs delivered to patients |
Administrative information management | |
135 | Doctor, pharmacist and health worker management | |
136 | Management and synchronization of patient demographics |
137 | Management of connection and interaction with other hospital information systems |
Medical record management | Advanced level |
138 | Management of medical records within the time limit specified in the Law on Medical Examination and Treatment |
139 | Medical record synchronization |
140 | Storage and recovery of medical records |
Information infrastructure management |
141 | System security |
142 | Inspection and supervision |
143 | Management of shared internal lists and standards |
144 | Management of connection and interconnection according standards (exporting electronic medical records according to HL7 CDA, CCD) |
145 | Management of professional rules for performing actions on medical records |
146 | Database backup, storage and recovery |
APPENDIX II
SUMMARY OF CRITERIA FOR ASSESSMENT OF LEVELS OF IT APPLICATION AT HEALTH FACILITIES
(Enclosed with the Circular No. 54/2017/TT-BYT dated December 29, 2017 of the Minister of Health)
SUMMARY OF CRITERIA FOR ASSESSMENT OF LEVELS OF IT APPLICATION AT HEALTH FACILITIES
Levels | Criteria |
1 | - Infrastructure satisfies level 1; - HIS satisfies level 1; - Access to electronic patient information is allowed. |
2 | Level 1 and the following requirements must be satisfied: - Infrastructure satisfies level 2; - HIS satisfies level 2; - Non-functional criteria satisfy basic level; - Information confidentiality and security satisfies basic level; - A centralized clinical data repository must be established, including shared list, pharmacy information, indications and clinical laboratory test results (if any); - Information/data (in existing CDR) must be shared between interested parties involved in patient care. |
3 | Level 2 and the following requirements must be satisfied: - Infrastructure satisfies level 3; - HIS satisfies level 3; - LIS satisfies basic level; - Operations management satisfies basic level; - Electronic records, including vital signs (pulse, body temperature, blood pressure), nursing documentation, information on medical procedures/techniques/ surgical procedures shall be stored in CDR; - Clinical symptoms and electronic prescribing: + The clinical decision support system level 1 supports electronic prescribing (new prescription and prescription renewal); + Drug information must be available in the CDSS support network environment. |
4 | Level 3 and the following requirements must be satisfied: - Infrastructure satisfies level 4; - HIS satisfies level 4; - LIS satisfies basic level; - PACS satisfies basic level, allowing doctors to access medical images outside the diagnostic imaging department; - Doctors give indications electronically; - All indications of inpatient services must be managed. |
5 | Level 4 and the following requirements must be satisfied: - Infrastructure satisfies level 5; - HIS satisfies level 5; - PACS satisfies advanced level and replaces all films. |
6 | Level 6 (smart hospital) includes the following criteria: - Level 5 is satisfied; - Infrastructure satisfies level 6; - HIS satisfies level 6; - EMR satisfies basic level; - Operations management satisfies advanced level; - Non-functional criteria satisfy advanced level; - Information confidentiality and security satisfies advanced level; - CDSS level 2 supports treatment procedures/guidelines according to evidence (health and pharmaceutical alerts): + CDSS supports drug interaction/drug checking; + Rules for checking and detecting initial errors in indication or prescribing must be available. - Doctors and nurses’ records including progress notes, consultation notes, problem list, discharge summary must be digitalized. - Drugs must be managed according to a closed procedure. Bar code or other technologies shall be used for automatic identification (such as RFID), delivery of drugs at patient bed. Automatic identification technology, such as drug package and patient ID barcode scanning shall be used. |
7 | Level 7 (hospitals does not need to use physical medical records if relevant regulations of law are satisfied) includes the following criteria: - Level 6 is satisfied; - Infrastructure satisfies level 7; - HIS satisfies level 7; - EMR satisfies advanced level. - CDSS level 3 provides guidance on doctors’ activities related to treatment guidelines and results according to appropriate custom alerts. - Data analysis forms shall be used for CDR to improve healthcare service quality, safety of patients and effectiveness in healthcare; - Clinical information shall be always available for the sharing by entities competent to treat patients through standard electronic transactions (HL7, HL7 CDA, CCD); - Hospital service data (inpatient, outpatient, emergency, consultation centers, etc.) shall be continuously exported. |
Vietnamese
Circular 54/2017/TT-BYT DOC (Word)
Circular 54/2017/TT-BYT PDF (Original)
