iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/TS 17975:2015

(Main)

Health informatics — Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information

Health informatics — Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information

ISO/TS 17975:2015 defines the set of frameworks of consent for the Collection, Use and/or Disclosure of personal information by health care practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an Informational Consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of health care services and the communication of electronic health records across organizational and jurisdictional boundaries. The scope of application of this Technical Specification is limited to Personal Health Information (PHI) as defined in ISO 27799, "information about an identifiable person that relates to the physical or mental health of the individual, or to provision of health services to the individual. This information might include: - information about the registration of the individual for the provision of health services; - information about payments or eligibility for health care in respect to the individual; - a number, symbol or particular code assigned to an individual to uniquely identify the individual for health purposes; - any information about the individual that is collected in the course of the provision of health services to the individual; - information derived from the testing or examination of a body part or bodily substance; - identification of a person, e.g. a health professional, as a provider of healthcare to the individual." Good practice requirements are specified for each framework of Informational Consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified. ISO/TS 17975:2015 is intended to be used to inform: - discussion of national or jurisdictional Informational Consent policies; - ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems; - how to judge the adequacy of the information provided when seeking Informational Consent; - design of both paper and electronic Informational Consent declaration forms; - design of those portions of electronic privacy policy services and security services that regulate access to personal health data; - working practices of organizations and personnel who obtain or comply with consent for processing personal health information. ISO/TS 17975:2015 does not: - address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from Informational Consent. Note that as Consent to Treatment and Care are outside the scope of this Technical Specification, the phrase "informational consent" is hereafter supplanted by the shorter "consent". In every case, it is Informational Consent that is intended; - specify any jurisdiction's legal requirements or regulations relating to consent. The focus is on frameworks, not on jurisdictional legislation or its adequacy in any given jurisdiction. While care has been taken to design the frameworks so that they do not conflict with the legislation in most jurisdictions, they might challenge some existing practices. This Technical Specification uses an approach that allows organizations or jurisdictions to select a subset of those frameworks which best fit their law culture and approach to data sharing; - specify what consent framework is to be applied to a data classification or data purpose as this may vary according to law or policy, although some examples of implementation profiles are provided in an informative Annex; - determine the legal adequacy of the informati

Informatique de santé — Principes et exigences des données pour le consentement dans la collecte, l'utilisation ou la divulagation d'informations de santé personnelles

General Information

Status
Withdrawn
Publication Date
17-Sep-2015
ICS
35.240.80 - IT applications in health care technology
Technical Committee
ISO/TC 215 - Health informatics
Drafting Committee
ISO/TC 215/WG 4 - Security, Safety and Privacy
Current Stage
9599 - Withdrawal of International Standard
Completion Date
02-Nov-2022
Ref Project

Relations

Revised
ISO/TS 17975:2022 - Health informatics — Principles and data requirements for consent in the collection, use or disclosure of personal health information
Effective Date
23-Apr-2020

Buy Standard

ISO/TS 17975:2015 - Health informatics -- Principles and data requirements for consent in the Collection, Use or Disclosure of personal health informationISO/TS 17975:2015 - Health informatics -- Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
PreviousNext
Technical specification
ISO/TS 17975:2015 - Health informatics -- Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


TECHNICAL ISO/TS
SPECIFICATION 17975
First edition
2015-09-15
Health informatics — Principles and
data requirements for consent in
the Collection, Use or Disclosure of
personal health information
Informatique de santé — Principes et exigences des données pour
le consentement dans la collecte, l’utilisation ou la divulagation
d’informations de santé personnelles
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 7
5 Consent requirements . 7
5.1 General . 7
5.2 What is Informational Consent? . 8
5.3 Consent to Treatment versus Informational Consent . 8
5.4 How consent relates to privacy, duty of confidence and to Authorization . 8
5.5 Relationship of consent to OECD Guidelines . 9
5.6 Relationship of consent to legislation . 9
5.7 Expectations and rights of the individual .10
5.8 Consent Directives .10
5.9 Consent is related strongly to Purpose of Use .10
5.10 Consent to Collect and Use versus Consent to Disclose .11
5.11 Consent is applicable to specified data .12
5.12 Consent related to Disclosure .12
5.13 Exceptional access .12
5.14 Challenges associated with obtaining consent .13
6 Consent frameworks .13
6.1 Giving consent meaning .13
6.2 Types of consent .15
6.3 Detailed requirements .16
6.3.1 Express or Expressed (informed) Consent .16
6.3.2 Implied (Informed) Consent .18
6.3.3 No Consent Sought .19
6.3.4 Assumed Consent (Deemed Consent) .20
7 Mechanisms and process: Denial, Opt-in and Opt-out, and Override .21
7.1 Express or Expressed (and Informed) Denial .21
7.2 Opt-in and Opt-out .22
7.2.1 Opt-in .22
7.2.2 Opt-out.22
7.3 Override .22
8 Minimum data requirements .22
Annex A (informative) Consent framework diagrams .24
Annex B (informative) Jurisdictional implementation examples .30
Bibliography .34
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 215, Health informatics.
iv © ISO 2015 – All rights reserved

Introduction
This Technical Specification (TS) defines several frameworks for Informational Consent in healthcare
(i.e. Consent to Collect, Use or Disclose personal health information). These are frequently used by
1)
organizations who wish to obtain agreement from individuals in order to process their personal health
information. Requirements arising from good practices are specified for each framework. Adherence
to these requirements will ensure the individual, as well as the parties who process personal health
information, that consent to do so has been properly obtained and correctly specified. This Technical
Specification covers situations involving Informational Consent in routine healthcare service delivery.
There may be situations involving new and possibly difficult circumstances which are not covered in
detail, but even in these situations the principles herein can still form the basis for potential resolution.
As described in 5.6, none of the frameworks described are legally mandated, and it is important to
note that a jurisdiction’s laws might align with one, some or even none of the frameworks described.
While this Technical Specification seeks to describe what are commonly accepted as the requirements
for a given framework, a jurisdiction’s legal requirements may supersede the requirements described
herein, and so might not permit the requirements as described to be applied absolutely.
In order to align with internationally accepted privacy principles, this Technical Specification is based
on two international agreements. The first is the set of privacy principles specified by the Organization
for Economic Co-operation and Development and known as the OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data. These principles form the basis for legislation in many
jurisdictions, and for policies addressing privacy and data protection. International policy convergence
around these privacy principles has continued since they were first devised. The principles require the
consent of the individual for data processing activities.
The second international agreement used is the Declaration of Helsinki, which is used to define essential
characteristics of best practices in Informational Consent management. The Declaration is a set of
ethical principles regarding human experimentation. It was developed for the medical community by
the World Medical Association (WMA) and is widely regarded as a cornerstone document of human
research ethics. While this agreement applies directly to research on human subjects, it is intimately
related to data processing, and can therefore be readily applied to the detailed requirements for
Informational Consent management. It is important to note that in the context of the Declaration of
Helsinki, the characteristics of Informational Consent were defined and developed over a number of
revisions in order to remain relevant to contemporary society.
This Technical Specification specifies that a record be retained of the set of agreements and constraints
granted via an Informational Consent process, and that the results of that process be made available to
other parties to whom the corresponding personal health information is subsequently disclosed (see
5.10). It also defines a list of essential characteristics that the Informational Consent record should
possess. These characteristics can be represented within information handling policies and used as
part of an automated negotiation between healthcare information systems to regulate processing and
exchange of personal health information.
Interoperability standards and their progressive adoption by e-health programmes expand the
capacity for information systems to capture, use and exchange clinical data. For this to occur on a wide
scale, the majority of decisions regarding the processing of data will need to take place computationally
and automatically. This will in turn require privacy policies to be defined in ways that are themselves
interoperable, so that interactions between heterogeneous systems and services are consistent from a
security perspective and supportive of policy (bridging) decisions regarding the processing of personal
health information.
A list of defined essential characteristics make up the record of the agreements granted via an
Informational Consent process so as to be made available
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEEE 11073-10206:2024(Main)
Health informatics — Device interoperability — Part 10206: Personal health device communication — Abstract content information model
  • Standard
    76 pages
    English language
    sale 15% off
  • Standard
    98 pages
    French language
    sale 15% off
  • Draft
    76 pages
    English language
    sale 15% off
ISO
ISO/TS 9321:2024(Main)
Health informatics — General requirements of multi-centre medical data collaborative analysis

This document outlines the general requirements for conducting a multi-centre medical data collaborative analysis, covering various aspects such as system architecture, data storage, data standardization, collaborative research management and security. The data considered in this standard primarily encompasses electronic health record data for multi-centre collaborative researches, including structured data, medical text data, image data, etc. This standard is applicable to a wide range of individuals and institutions, including developers, maintainers, management personnel, researchers, and data-owning organizations.

  • Technical specification
    18 pages
    English language
    sale 15% off
ISO
ISO/TS 5777:2024(Main)
Health informatics — The architecture of internet healthcare service network

This document provides the architecture of internet healthcare service network, including: — overview of internet healthcare service network; — infrastructure and deployment scheme of internet healthcare service network; — security of internet healthcare service network. This document mainly focuses on the engineering architecture and infrastructure deployment of healthcare information transmission among various healthcare organizations through services, as shown in Figure 1. The implementation of information systems and healthcare services within organizations is demonstrated in Annex A. This document applies to the construction and application of internet healthcare service network.

  • Technical specification
    12 pages
    English language
    sale 15% off
ISO
ISO/TR 6231:2024(Main)
Health informatics — Standardizing graphical content

This document describes the need for standardization of graphics and images in the health informatics domain. It focuses on the current status of adoption and presents an overview of the opportunities as well as challenges in creating sets of standardized images and graphics. A plan of action is proposed to serve as the future roadmap for implementation.

  • Technical report
    17 pages
    English language
    sale 15% off
ISO
ISO 22287:2024(Main)
Health informatics — Workforce roles and capabilities for terminology and terminology services in healthcare (term workforce)

This document specifies the tasks, roles, and key skills, requirements and competencies for personnel involved in terminology services in healthcare organizations. This document specifies: — terminology services in healthcare organizations including the selection, authoring, and deployment and use of terminology subsets, data sets and maps; developing and managing terminology management processes and health information management-related policies; performing terminology business analysis; and supporting the adoption, planning and deployment of terminologies; — workforce needs to perform these services; — job roles in the healthcare organizations and related organizations responsible for performing terminology related tasks; NOTE Examples of these roles include terminologist, terminology standards developer/manager, mapping specialist, data conversion analyst, interface analyst, coding specialist, data developer/designer, data modeller, and content manager [including Clinical Documentation Improvement (CDI) specialist]. — skill and competency level requirements to safely and effectively undertake each task, taking into account the focus of the task from the perspectives of health information and communication technology (HICT), information management, information governance including information privacy and security, clinical practice and healthcare decision making.

  • Standard
    34 pages
    English language
    sale 15% off
ISO
ISO 21549-7:2024(Main)
Health informatics — Patient healthcard data — Part 7: Medication data

This document applies to situations in which such data is recorded on or transported by patient healthcards compliant with the physical dimensions of ID-1 cards defined by ISO/IEC 7810. This document specifies the basic structure of the data contained within the medication data object, but does not specify or mandate particular data sets for storage on devices. The purpose of this document is for cards to provide information to other health professionals and to the patient or its non-professional caregiver. It can also be used to carry a new prescription from the prescriber to the dispenser/pharmacy in the design of its sets. Medication data include the following four components: — medication notes: additional information related to medication and the safe use of medicines by the patient such as medication history, sensitivities and allergies; — medication prescriptions: to carry a new prescription from the prescriber to the dispenser/pharmacy; — medication dispensed: the records of medications dispensed for the patient; — medication references: pointers to other systems that contain information that makes up medication prescription and the authority to dispense. The following topics are beyond the scope of this document: — physical or logical solutions for the practical functioning of particular types of data cards; — how the message is processed further “downstream” of the interface between two systems; — the form which the data takes for use outside the data card, or the way in which such data is visibly represented on the data card or elsewhere. NOTE Not only does the definition of “medicinal products” differ from country to country, but also the same name can relate to entirely different products in some countries. Therefore, it is important to consider the safety of the patient when the card is used across borders. This document describes and defines the Medication data objects used within or referenced by patient-held health data cards using UML, plain text and Abstract Syntax Notation (ASN.1). This document does not describe nor define the common objects defined within ISO 21549-2.

  • Standard
    42 pages
    English language
    sale 15% off
  • Standard
    44 pages
    French language
    sale 15% off
ISO
ISO/TS 5499:2024(Main)
Health informatics — Clinical particulars — Core principles for the harmonization of therapeutic indications terms and identifiers

The objective of this document is to establish common principles for the creation, assessment, selection and maintenance of maps between terminological resources used to describe and code IDMP therapeutic indications for investigational and medicinal products, medical devices, combination products, biologics and companion diagnostics. Core maintenance principles, such as reliability, reproducibility and quality assurance of the maps for future indication terminology use, are also discussed. The intended audience for this document includes: a) Global regulators, pharmaceutical/biopharmaceutical companies, Clinical Research Organizations (CROs) and universities/scientific institutes involved in the development, authorization and marketing of medicinal products b) Implementers of IDMP seeking more information about coding of Therapeutic Indications c) Healthcare providers d) Standards Organizations e) Implementers and software vendors developing and implementing terminology map sets f) Patients

  • Technical specification
    23 pages
    English language
    sale 15% off
ISO
ISO/TS 14265:2024(Main)
Health informatics — Classification of purposes for processing personal health information

This document defines a set of high-level categories of purposes for which personal health information can be processed: collected, used, stored, accessed, analysed, created, linked, communicated, disclosed or retained. This is in order to provide a framework for classifying the various specific purposes that can be defined and used by individual policy domains (e.g. healthcare organisation, regional health authority, jurisdiction, country) as an aid to the consistent management of information in the delivery of health care services and for the communication of electronic health records across organisational and jurisdictional boundaries. Health data that have been irreversibly de-identified are outside the scope of this document, but since de-identification processes often includes some degree of reversibility, this document can also be used for disclosures of de-identified and/or pseudonymised health data whenever practicable. This classification, whilst not defining an exhaustive set of purposes categories, provides a common mapping target to bridge between differing national lists of purpose and thereby supports authorised automated cross-border flows of EHR data.

  • Technical specification
    11 pages
    English language
    sale 15% off
ISO
ISO/TR 9143:2023(Main)
Health informatics — Sex and gender in electronic health records

The purpose of this document is to: — describe the current challenges with documenting and sharing sex and gender information in electronic health records. — identify the current state of international standards and specifications that include sex and gender. — summarize the findings and identify opportunities to improve clarity and consistency in the use of sex and gender in electronic health records.

  • Technical report
    25 pages
    English language
    sale 15% off
ISO
ISO 5477:2023(Main)
Health informatics — Interoperability of public health emergency preparedness and response information systems

This document provides business rules for PH EPR information systems. It includes a description of the EPR information systems domain. It also includes an informative framework for mapping existing semantic interoperability standards for emergency preparedness and response to PH EPR information systems. The primary target audience for this document is policy makers (governmental or organizational), regulators, project planners and management of PH EPR information systems, PH EPR data analysts and informaticians. The contents is also of interest to other stakeholders such as incident managers, PH educators, standards developers and academia.

  • Standard
    59 pages
    English language
    sale 15% off