The role of Iceland Health is to consider the mechanism of the healthcare system and ensure access to healthcare for all.

• Ensuring aid for health, regardless of economy

• Promoting the operational and macroeconomic viability of healthcare

• Sometimes proactive and professional buying of healthcare and promoting transparency on quality, performance and costs

The Icelandic Health Insurance Information Security Policy describes emphasis on the protection of data and information systems as well as security of information processing. The strategy is the cornerstone of the Information Security Management System and in context of ISO 27001:2013 information security standard.

The Icelandic Health Insurance Information Security Administration system covers the hardware, software, services, processes, personnel and premises necessary to maintain an acceptable level of service for the Icelandic Health Insurance business, consumers and healthcare providers. The Icelandic Health insurance is committed to continuous improvement of the information security management system and review in order to achieve policy objectives.

Data, information systems and communication channels shall be secure, reliable, available and accessible only to those with appropriate rights. Information security management is an essential means of reducing operational risk and minimizing the risk of damage caused by incidents that may affect the operations of the Health Insurance.

The information security policy supports continuous operations and services and optimizes the security of data and information systems owned and managed by the Health Insurance Administration. All changes to information technology infrastructure are managed through a formal change management process. Event registration is logged and periodically reviewed.

The information security policy is binding on the staff of the Icelandic Health Insurance Administration. The policy includes a commitment to protect data and information systems from unauthorized access, use, alteration, disclosure, destruction, loss and/or transfer.

Approved by the Icelandic Health Insurance Executive on 31 August 2021.

Risk Management Policy of the Iceland Health

Risk management at Iceland Health takes into account the statutory role of the organization and supports safe, efficient, and transparent services. The role of risk management is to:

• Support the statutory role

  • Ensure that risk management is an integral part of daily operations and supports the fulfillment of legal obligations.

• Ensure responsible management of funds

  • Promote transparent and efficient use of public funds.

• Maintain efficient processes

  • Establish and maintain regular processes to identify, assess, and monitor risk.

• Reduce residual risk

  • Ensure that there are processes in place to reduce risks that may, among other things, affect the efficiency and utilization of public funds, the quality of services, and public trust.

• Ensure active internal oversight

  • Identify deviations, improve processes, and ensure continuous improvements.

• Identify, prevent, and respond to fraud risk

  • The institution commits to identifying, preventing, and responding to fraud risk through regular risk assessments, the implementation of safeguards and monitoring systems, staff training, and a clear response procedure in the event of suspected fraud.

• Support Iceland Health Service Policy

  • Support the objectives of the service policy and ensure systematic monitoring.

• Ensure data quality

  • Promote data-driven, professional, and transparent decision-making.

• Strengthen response capacity

  • Strengthen the institution's capacity to respond to changes in regulations, the environment, and service needs.

• Integrating risk management with strategic planning

  • Ensure that risk management is an integral part of strategy development, planning, and decision-making at all levels.

• Strengthen risk management culture

  • Promote the understanding of risk factors among staff and hold them accountable for mitigating risks within their area of responsibility.

With this policy, Iceland Health ensures responsible and transparent governance, where risks are addressed through targeted actions and clear processes in a systematic and coordinated manner. Risk management is thus an integral part of providing safe, efficient, and consistent services for all users of healthcare services, guided by the values of Iceland Health: service, respect, and innovation.

The quality policy of Iceland Health applies to all activities of the institution and serves as a guiding principle in daily operations. Its goal is to ensure professional, efficient, and reliable service to individuals and partners, in accordance with laws, regulations, and good administrative practices.

Staff shall be familiar with the quality policy and quality manual of Iceland Health and conduct their work in accordance with them. Staff actively participate in quality work and commit to performing their duties with professionalism, integrity, and impartiality, maintaining confidentiality and ensuring that the quality and efficiency of all tasks are as high as possible.

The management of Iceland Health ensures sufficient and appropriate resources—whether technical or in the form of human resources—to carry out statutory tasks. They also ensure that staff receive the training and continuing education necessary to meet the requirements and developments of the operations.

Procedures and decision-making shall always be conducted in a reliable, correct, efficient, and impartial manner, in accordance with applicable laws, regulations, and data protection considerations.

The quality policy also serves as a guiding principle in the procurement policy of Iceland Health and in agreements with healthcare service providers, suppliers, and partners. All such agreements must take into account the institution's quality requirements.

Iceland Health places emphasis on continuous and targeted improvements to the quality and information security management system, in accordance with relevant standards, to ensure that the system supports the organization's objectives and serves its operations in the best possible way.

Approved by the Icelandic Health Insurance Executive on 18 November 2025

The IT policy of Icelandic Health Insurance describes a focus on the operation and service of information systems and their infrastructure with the aim of creating a positive business enabler for all the operations of the Health Insurance. The IT organizational unit is responsible for the implementation of policy objectives with a focus on providing efficient and professional services to support processes that use information technology for the resolution of projects.

Iceland Health seeks to use standard software solutions that meet the requirements for functionality, integration with other solutions and safety in all its activities. Solutions, and their service providers, shall be evaluated and selected with the help of the Icelandic Health Insurance Administration, and the most suitable solutions shall be chosen at any given time. Health insurance shall manage collaboration with software solutions providers on project progression and change through formal and active supplier management. Efforts shall be made to have more suppliers, but fewer, at any given time to spread risk. In cases where the Health Insurance needs to create its own software solutions, whether as a whole system and/or integration between systems, the Icelandic Health Insurance shall manage the journey and carry out as much of the task as possible with its own people, albeit in good cooperation with the suppliers involved. The software formulation shall be based on the best practices in each instance, and an effort shall be made to use the latest technology to minimize future technical debt. The objective of the software development is to replace older software solutions.

Iceland Health is collaborating with public bodies to use a coordinated platform on electronic services and electronic data dissemination. It is important that consumers and healthcare providers should be able to submit applications and/or data electronically and that all processes should be fully electronic in order to reduce redress time and reduce administrative costs.

Information systems users are provided with information and education by health insurance employees to coordinate their work methods and to meet defined service levels. The goal of services for users is to ensure that they are able to use the systems and infrastructure that the Health Insurance operates in an efficient manner.

Icelandic Health insurance seeks to host systems and their infrastructure with the aim of offering regular out-of-pocket services and operations to ensure both quality and the highest standards of benefits for Health Insurance policy makers.

The IT policy is binding on the staff of the Icelandic Health Insurance Administration. The strategy includes a commitment to the parties to operate and service information systems in an efficient, secure and efficient manner. Information security is further discussed in information security policy.

Approved by the Icelandic Health Insurance Executive on 31 August 2021.

It is the policy of the Icelandic Health Insurance that all staff enjoy equal pay and the same terms for equal work and that there is no insubstantial wage differential. Furthermore, all staff are guaranteed equal opportunities for employment, responsibility, pay, promotion, continuing education and vocational training.

To this end, the Institute undertakes to introduce and maintain an equal pay system that includes all staff. The equal pay system implies that all wage decisions are transparent, documented and based on objective criteria. The Institute also undertakes to continuously improve the management of the equal pay system in accordance with the requirements of the Standard ÍST 85:2012.

The director is responsible for the Institute's equal pay system and for ensuring that it complies with the Gender Equal Status and Equal Rights Act, No. 150/2020. The human resources manager is the representative of the management concerning the equal pay system of the institution and is responsible for the implementation and maintenance of the system in accordance with the standard ÍST 85:2012.

The introduction and maintenance of a certified equal pay system, in accordance with applicable laws and regulations, by the Icelandic Health Insurance Administration, includes: a.

• Implementation of an annual wage analysis comparing work of equal value to check whether gender-based wage differentials exist and that results are presented to the staff.

• The setting of equal pay objectives, which are reviewed annually with reference to the results of wage analysis.

• Continuous improvement and monitoring of the equal pay system and the response to unexplained wage differences and to the deviations that emerge from internal audits and management reviews of the system.

• Posting of the equal pay policy on the internal website and regular publicity of the policy to all staff.

The equal pay policy is also accessible to the public on the website of the Institute.

The aim of the Iceland Health is to be a model in climate change by systematically reducing the amount of greenhouse gas emissions from its activities. The Iceland Health wants to contribute to the achievement of the government’s goals, in relation to the Paris Agreement, and thus play an active role in the fight against climate change. By 2030, the Icelandic Health will reduce its greenhouse gas emissions by a total of 40% compared to 2017.

The policy covers all activities of the Iceland Health, operations, transport, energy consumption, waste generation, environmental education and recovery of assistive devices. Table 1 below contains the steps that the Iceland Health intends to take to reduce the negative environmental impact.

The Iceland Health climate policy is reviewed every year by the steering group of green steps and the goals updated with regard to developments in greenhouse gas emissions between years. Green accounts are submitted annually to the Environment Agency of the United States and taken into account in the assessment of progress. Government policy on climate is taken into account. The policy is approved by the Iceland Health Commission and information on the results of actions is disseminated on the Iceland Health website. Iceland Health will focus primarily on reducing emissions in operations but also carbon offset all remaining emissions by purchasing certified carbon units from 2021 onwards.