What audit-trail requirements does NEN 7510 set for patient records?
NEN 7510 asks that every access to patient data be traceable to a natural person, with logging of view, change and export. The goal is to detect misuse and to evidence what happened to records.
Try this first
- 1Turn on logging in the EHR for view, edit, export, print and share. Anonymous or shared accounts have to go, otherwise the logs are worthless.
- 2Keep logs long enough to support sampling reviews. Confirm the right retention via the NEN 7510 text and your internal risk analysis, not by heart.
- 3Build in periodic log review. A monthly random sample focused on flagged views (own family, public figures, ex-colleagues) is common practice.
- 4Secure the logs themselves. Read-only storage, restricted access, and logging on who consults the logs.
- 5Document the process. Who reviews, how often, which escalation on suspicion, and how you inform subjects when their record was viewed unlawfully.
When to bring us in
Suspected unlawful access or a breach involving patient data demands immediate notice to the DPA, the DPO and possibly IGJ. Call in support.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.