Special Authority – electronic (ESA) is an application process in which a prescriber requests government subsidy on a Community Pharmaceutical for a particular person.
Once approved the prescriber is provided a Special Authority number which must appear on the prescription. The authority number can provide access to subsidy, increased subsidy, or waive certain restrictions otherwise present on the Community Pharmaceutical.
Reference: PHARMAC Pharmaceutical Schedule
Registering for the ESA system
You can register your interest with the Sector Operations On-Line team. Either call them on 0800 505 125, or e-mail them at firstname.lastname@example.org. Once your enquiry has been recorded you will be sent an information pack containing the relevant registration/approval forms.
Why do I need to register for the ESA system?
Our primary concern in the registration process is to ensure only the people who are entitled to access sensitive patient data can actually do so, and that they do so in a secure manner.
The registration process checks you are a valid health sector participant, and checks you and your organisation meet the necessary security requirements, ie, Health Intranet connectivity, digital certificate(s), and NHI access.
How long will the registration process take?
The registration process will vary in duration depending on the number of approvals already in place at the practice or organisation seeking registration. Approvals are required for:
- Health Intranet
- Digital certificate(s)
- NHI access (not required for pharmacy enquiry).
If all of these approvals are already in place then the registration process will take just one or two days. If any of the above approvals are not already in place, the registration process may take two to four weeks.
Who do I contact if I need help filling in the forms?
Costs and requirements
Are there any charges for using this system?
There are no charges imposed by Sector Operations, the Ministry of Health or PHARMAC for using the ESA system.
There are no charges imposed for becoming approved for Health Intranet access, although there will be charges imposed to access a Health Intranet-approved network (typically in addition to the normal ISP charges). Healthlink and Spark NZ currently operate Health Intranet-approved networks.
What is the cost of the digital certificates and how often do I need to renew these?
Digital certificates are issued for a period of one year, after which they must be re-issued. The charge for a HealthSecure digital certificate is approximately $100 for the initial certificate and then approximately $80 for subsequent re-issues.
What system requirements do I need to utilise the ESA system?
You may access the ESA system from any PC, as long as your practice or organisation has the following:
- Computer – The ESA system has been successfully used with both MAC’s and PC’s running with Microsoft Windows
- Health Intranet connection – Your practice or organisation must be approved by the Health Intranet Governance Board and must connect to the ESA system via a Health Intranet-approved network
- Digital certificate – All users of the ESA system must use an individual HealthSecure digital certificate
- Web Browser – Your web browser must be capable of supporting 128-bit encryption. If this is not the case, then your connection will not be accepted by the ESA system. In this case, the browser should be upgraded to the most recent version.
The ESA system has been validated using Microsoft Internet Explorer 6. Other browsers may run successfully, however Sector Operations makes no guarantees in this regard.
Do I have to have a stand-alone computer in my practice to use ESA system?
There is no technical reason why a networked computer cannot be used to access the ESA system. However, depending on your practice or organisation’s security policy, there may be a requirement that only stand-alone computers can be used to access external systems. You should ask your local IT support people for clarification.
How is my practice protected from viruses?
Whether your computer is configured as stand-alone PC, or in a local network, adequate virus checking and firewall software should be used to protect your organisation and other organisations from malicious software and intruders. Indeed, the Health Intranet security policies mandate these requirements.
Are there any security risks in using this system?
There are security risks with any system, whether electronic or paper-based. However Sector Operations has made considerable effort to ensure that all ESA transactions are as secure as is reasonably possible. The steps taken include:
- Health Intranet – Sector Operations’s ESA system may only be accessed via a Health Intranet-approved network. Both dial-up and broadband connections are available over the Health Intranet. Spark New Zealand, and Healthlink are operating Health Intranet-approved networks.
- Digital certificates – All users of the ESA system must use an approved HealthSecure digital certificate. Digital certificates provide the necessary authentication – they prove that you are actually who you claim to be.
- The digital certificate application process may be initiated by contacting the Sector Operations On-Line team on 0800 505 125, or the Health Sector Registration Authority on 0800 117 590 or at email@example.com.
- Digital certificates should be treated in the same way you treat your passport (ie, they should not be shared with, or used by, other people. In particular, your certificate’s password should be carefully protected.
- Encryption – All communication to and from your computer and the Special Authority web site is encrypted to assure confidentiality of all data sent and received. The secure messaging (128-bit data encryption) uses technology called Secure Sockets Layer (SSL).
- To check if a SSL secure connection has been established, look for the padlock symbol at the bottom of your browser window. Double click on the padlock symbol to view the details of the Sector Operations digital certificate – if it’s issued to xxxx.moh.govt.nz then you are connected to the correct web server. (This does not apply to the Medtech Users)
- Firewalls – The ESA systems reside behind two firewalls. Only recognised users on recognised networks can access these systems.
- Dongles – A dongle is a device that can allow doctors to have a digital certificate attached to their laptops. The digital certificate is loaded into the dongle, and the dongle is attached via a USB port onto the doctor’s laptop. If a doctor wishes to use a laptop, then a dongle is mandatory. To find out more information on dongles, contact Healthlink on 0800 288 887.
- User registration – All users of the ESA system must be registered with Sector Operations. This ensures that only those people eligible are allowed to use the ESA system.
- Audit trails – All Special Authority transactions entered on the ESA system are captured for statistical and audit purposes.
What steps have been taken to ensure confidentiality of patient data?
Confidentiality of patient information is extremely important to Sector Operations. In order to ensure that the ESA system complies with the Health Information Privacy Code, Sector Operations commissioned an independent privacy impact assessment that examined the system in relation to the 12 rules of the Health Information Privacy Code.
As a result of this assessment some changes have been made to the system that better protect confidentiality of patient information.
The privacy impact assessment report states:
The overall objective of this report is to provide you with a comprehensive and objective assessment of the affect on privacy that the online special authorities project will have compared with the current manual system, and to suggest ways in which those affects (if any) can be mitigated.
The independence of the process of assessment has been an important feature. You have not sought to exclude relevant areas of enquiry from my review, nor have you attempted to influence the recommendations I have made. During the process of preparing this assessment I have identified several aspects of the system that could have been improved from a privacy perspective. These have been improved.
The Letter of Audit
All users are required to sign a Letter of Audit before becoming a registered user. As a user of the ESA System, applications may be audited against the application criteria set out in PHARMAC’s Pharmaceutical Schedule. Any audit would be carried out by Audit and Compliance and would be done in line with the agreed protocols between Audit and Compliance and the New Zealand Medical Association (NZMA).
The ESA system will normally be available 24 hours a day, seven days a week. Occasionally the system will need to be taken down for maintenance purposes – this will typically be out of normal working hours. In the event of an extended outage you will be notified by e-mail.
How will I know if the ESA system is not available?
In the event of an extended outage of the ESA system, the Sector Operations On-Line team will contact you by e-mail to let you know of the outage and how long it is likely to last.
Once the outage is over and the service has been resumed the team will notify you of this, again by e-mail.
Sending through applications
Can I still fax through my applications as before if I choose to?
Yes. There is no intention currently to withdraw paper-based Special Authority applications.
Can I still contact the Sector Operations Special Authority team for queries if required?
Yes. Call them on 0800 243 666.
How soon will I know if the application has been approved or declined?
When submitting an ESA application a response will be returned after a few seconds.
What do I need to do if the application declines?
As currently happens with paper-based applications, you can either accept the decline, or if you feel an error was made during one of the steps you may re-apply for the Special Authority. Re-applications on the ESA system can be carried out immediately after receiving the decline notification.
Will I receive confirmation from Sector Operations that this number has been approved?
The approval (or decline) details will appear on your screen after you have submitted the Special Authority application. Sector Operations recommends that you print the approval details and file with your patient’s notes for future reference, as no letters will be sent from the Sector Operations office.
Who do I contact if I have problems or errors processing the application?
Will the patient receive any confirmation regarding their approval number?
No letter will be sent to the patient informing them of the approval. It will be up to the patient’s doctor to inform them of their approval details.
If I make an error processing applications, how quickly am I notified of this?
You will be notified once you submit your Special Authority application (ie, you have completed the last step in the application process). This type of error will result in your Special Authority application being declined. In this case, you must re-enter the correct application details before an approval will be given.
If there is a system problem, when processing applications, how quickly will these be resolved by your support team?
The time required to resolve system problems will vary depending on the nature of the problem. If the problem is unable to be resolved by the Sector Operations On-Line team, details of the problem will be passed to technical support personnel who will investigate the problem as soon as possible. You will be kept up to date via e-mail of any changes in the status of the problem.
Could I still apply by using the paper version, or can I apply over the phone or by fax, especially if they are required in a hurry?
Paper-based applications may still be submitted by mail or by fax. Applications by telephone will not be accepted.
Are any paper copies of electronic applications kept by Sector Operations?
No. However Sector Operations has the ability to view any ESA application should an enquiry be made on the application.
What do I do if I don’t agree with the criteria that are applied to a Special Authority?
The Pharmaceutical Management Agency (PHARMAC) is responsible for setting the criteria for each Special Authority medicine (Sector Operations operates the Special Authority system on PHARMAC’s behalf). If you disagree with, have an issue with, or just don’t understand, a medicine’s Special Authority criteria, then you should contact PHARMAC on 0800 66 00 50.
A digital certificate is like an electronic passport that is used to ensure that electronic communications can be carried out securely.
A digital certificate is an electronic document that contains identity details of the holder, including name, location and e-mail address, and also contains what are known as ‘security keys’. There are two security keys in a certificate: the ‘public key’ (made freely available to other people or organisations) and the matching ‘private key’ (which only you have). If I send you encrypted information, I will do so by using your public key. You will decrypt the information using your private key.
The identity details in a digital certificate are used to prove that the holder is who they say they are, whilst the ‘public key’ is used to encrypt information to ensure that it remains confidential.
A holder’s digital certificate is freely distributed to other people or organisations to prove their identity and to be able to undertake confidential communications. The holder's corresponding ‘private key’ file must be kept completely confidential.
A trusted third party, usually known as a Certificate Authority, digitally signs the document and issues the security keys. This digital signature not only ‘certifies’ that the details in the Digital Certificate are correct, but also ensures that they cannot be changed without this being detected.
Why do I need a digital certificate?
A digital certificate ensures that messages or documents sent by you over the internet will remain completely confidential even if somehow the data is intercepted. It is also important to ensure that it really is you who sent the message rather than somebody posing as you. As indicated above, digital certificates provide a reliable and robust means to meet both of these requirements.
With digital certificates, not only is it necessary to have a password to activate a ‘private key’, it is also necessary to be physically in possession of the ‘private key’ file. The ‘private key’ is a very long number that is itself stored in an encrypted file (or possibly on a smart card). It does not have to be remembered and is never typed out or written down, and is therefore not exposed to eavesdropping or guessing.
Most importantly, authentication using a ‘private key’ is not exposed to a so-called ‘replay attack’. A replay attack can occur where a user name and password, even if encrypted, can be recorded by somebody intercepting a message and then playing it back later to provide false authentication.
How are digital certificates issued?
Again, using the analogy of a digital passport, it is essential that the identity details in a digital certificate are absolutely correct and that they have been issued by the proper source.
For Health Intranet purposes the ‘passport office’ is the New Zealand Health and Disability Sector Registration Authority (NZHSRA).
To apply for a certificate you should contact the Sector Operations Special Authority team on 0800 505 125. Alternatively, registration forms are available by e mailing the NZHSRA at firstname.lastname@example.org.
Once your application has been approved it will be passed to the certificate authority who will issue the certificate. You will be sent your digital certificate via courier on floppy disk or CD-ROM, together with installation instructions.
How long do digital certificates last for?
HealthSecure digital certificates, as required for the ESA system, are currently issued for a period of one year. You will need to re-apply for your certificate before the expiry date in order to have uninterrupted access to the ESA system.
If I upgrade or change my computer system, do I need to purchase new digital certificates?
No. But you will need to reinstall your original certificate (which should always be kept in a safe place) on your new PC. If you cannot locate the CD-ROM that the digital certificate was originally issued on, please contact the Sector Operations Special Authorities support team on 0800 505 125, or the Health Sector Registration Authority on 0800 117 590 or at email@example.com so that your certificate may be re-issued.
Can I use my digital certificate on more than one PC or do I need to purchase a separate digital certificate for each PC I use?
Your digital certificate identifies ‘you’, so you only need to purchase a single digital certificate. You should load your digital certificate on each of the PCs that you will be using to access the ESA system.
If there are several people in your practice or organisation this may mean that there is more than one digital certificate loaded on some PCs. In this case, you will be asked which certificate to use each time you access the ESA system.
Where do I send my applications?
Send all completed applications to:
179 St Hill Street
Private Bag 3015
Whanganui Mail Centre
Please note: you should not rely solely on the answers provided here; the contracts applicable to each provider and all relevant legislation must be consulted to determine the full rights & liabilities applicable to any service provider or funder.