ISO/TR 21089:2004

TECHNICAL ISO/TR
REPORT 21089
First edition
2004-06-01
Health informatics — Trusted end-to-end
information flows
Informatique de santé — Flux d'informations “trusted end-to-end”

Reference number
©
ISO 2004
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2004 – All rights reserved

Contents Page
FOREWORD. v
1 SCOPE . 1

2 REFERENCES. 1

3 TERMS AND DEFINITIONS. 2

4 ABBREVIATED TERMS.14
5 OVERVIEW - CHARACTERISTICS ESSENTIAL TO TRUSTED END-TO-END
INFORMATION FLOWS.16
6 HEALTH RECORD TRUST STAKEHOLDERS .17
7 PRINCIPLES AND OBJECTIVES .18
7.1. ENSURED TRUST.18
7.2. TRUST STAKEHOLDERS.18
7.3. HEALTH RECORD RIGHTS .18
7.4. HEALTH RECORD OBLIGATIONS .19
7.5. HEALTH RECORD COMPOSITION .19
7.6. HEALTHCARE ENTITIES AND THEIR ACCOUNTABLE ACTIONS.19
7.7. HEALTHCARE AGENTS AND THEIR ACCOUNTABLE ACTIONS .19
7.8. SCOPE OF ACCOUNTABILITY, UNIT OF ACCOUNTABILITY.19
7.9. AUTHENTICATION.20
7.10. AUDITABILITY .20
7.11. CHAIN OF TRUST.20
7.12. FAITHFULNESS, PERMANENCE, PERSISTENCE AND INDELIBILITY .20
7.13. DATA DEFINITION, DATA REGISTRY .20
7.14. DATA INTEGRITY .20
7.15. COMPLETENESS .20
8 INFORMATION FLOW PERSPECTIVES .21
8.1 DOWNSTREAM PERSPECTIVE - HEALTH RECORD SUBJECT .21
8.2 DOWNSTREAM PERSPECTIVE - ENTITY(IES) ACCOUNTABLE FOR HEALTH RECORD CONTENT .22
8.3 UPSTREAM PERSPECTIVE - ENTITY(IES) ACCOUNTABLE FOR HEALTH RECORD ACCESS/USE .23
9 ENTITIES, HEALTH SERVICE ACTS AND CORRESPONDING PERSISTENT ACT
RECORDS.24
10  HEALTH SERVICE ACT - VITAL CONTEXTS - AS DOCUMENTED IN THE ACT RECORD
..............................................................................................................................................................26
10.1. ACCOUNTABILITY CONTEXT.26
10.2. DATA INTEGRITY CONTEXT.26
10.3. CLINICAL CONTEXT.26
10.4. ADMINISTRATIVE/OPERATIONAL CONTEXT.26
11 ROLES AND RELATIONSHIPS (EXAMPLE).27
11.1. SUBJECT OF CARE AND PROVIDERS.27
11.2. HEALTH SERVICES .27
11.3. HEALTH RECORD .27
11.4. INDIVIDUALS, ORGANIZATIONS, BUSINESS UNITS .27
11.5. INTER-HEALTHCARE PROFESSIONAL.27
12 KEY DEFINITION AND TRACE/AUDIT POINTS IN TRUSTED END-TO-END INFORMATION
FLOWS.28
12.1. ACT RECORD - POINT OF DEFINITION.30
12.2.1. HEALTH SERVICE ACT - POINT OF SERVICE/CARE.31
12.2.2. ACT RECORD - POINT OF ORIGINATION.32
12.3.1. HEALTH SERVICE ACT - POINT OF PROGRESSION OR COMPLETION.34
12.3.2. ACT RECORD - POINT OF AMENDMENT .34
12.4. ACT RECORD - POINT OF TRANSLATION .35
12.5. ACT RECORD - POINT OF ACCESS/USE.36
12.6.1. ACT RECORD - POINT OF DE-IDENTIFICATION, ALIASING.37
12.6.2. ACT RECORD - POINT OF RE-IDENTIFICATION .38
12.7. ACT RECORD - POINT OF CONVERGENCE: E.G., AGGREGATION, SUMMARIZATION OR
DERIVATION . 39
12.8.1. ACT RECORD - POINT OF DISCLOSURE, TRANSMITTAL.40
12.8.2. ACT RECORD - POINT OF REPORTING .40
12.9. ACT RECORD - POINT OF RECEIPT.42
12.10. ACT RECORD - POINT OF ARCHIVAL .44
12.11. ACT RECORD - POINT OF LOSS, DESTRUCTION OR DELETION.45
BIBLIOGRAPHY.46
iv © ISO 2004 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical committees.
Each member body interested in a subject for which a technical committee has been established has the right to be
represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also
take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the
technical committees are circulated to the member bodies for voting. Publication as an International Standard requires
approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example), it may decide by a simple majority vote of
its participating members to publish a Technical Report. A Technical Report is entirely informative in nature and does not
have to be reviewed until the data it provides are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights.
ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 21089 was prepared by Technical Committee ISO/TC 215, Health informatics.
TECHNICAL REPORT ISO/TR 21089:2004(E)

Health informatics — Trusted end-to-end information flows

1 Scope
Health(care) records form persistent evidence of health status and the provision and completeness of
health(care) services, being retained in electronic and/or other media. Health(care) records often contain
Protected Health Information (PHI), typically defined as "individually-identifiable health information", and thus
incur safeguards exceeding the ordinary.
The prime unit of health(care) record-keeping is the Entity/Act Record, the authenticatable unit of the health
record, evidencing (documenting) the performance/completion of an Act by an Entity and preserving the
Accountability Context of the Entity for the Act. (Note that the Entity/Act is central to Health Level Seven's
Version 3 Reference Information Model.)
Trusted stewardship, retention and interchange of Entity/Act Records/PHI requires vital safeguards such as
traceability and audit. This Technical Report offers an information flow methodology for units of the
health(care) record/PHI, particularly the Entity/Act Record, and specifies critical Trace Points (audit events)
in that flow including: record/PHI origination, authentication, amendment, translation, access/use,
transmittal/disclosure, receipt, de-identification/re-identification, archival, etc.
This Technical Report offers an informative guide to trusted end-to-end information flow for health(care)
records and to the key Trace Points and audit events in the electronic Entity/Act Record lifecycle (from point
of record origination to each ultimate point of record access/use). It also offers recommendations regarding
the trace/audit detail relevant to each.
This Technical Report offers recommendations of best practice for healthcare providers, health record
stewards, software developers and vendors, end users and other stakeholders, including patients.
2 References
ISO/IEC Guide:1996, Guide 2: definition 3.2
ISO/IEC 2382-8:1998, Information technology — Vocabulary — Part 8: Security
ISO 6523-1:1998, Information technology — Structure for the identification of organizations and organization
parts — Part 1: Identification of organization identification schemes
ISO 7498-2:1989, Information processing systems — Open Systems Interconnection — Basic Reference
Model — Part 2: Security Architecture
ISO/IEC 10746-2:1996, Information technology — Open Distributed Processing — Reference Model:
Foundations
ISO/IEC 10746-3:1996, Information technology — Open Distributed Processing — Reference Model:
Architecture
ISO/IEC 10746-4:1998, Information technology — Open Distributed Processing — Reference Model:
Architectural Semantics
ISO/IEC 15408-1:1999, Information technology — Security techniques — Evaluation criteria for IT security
— Part 1: Introduction and general model
ISO/IEC 17799, Information technology — Code of practice for information security management
3 Terms and definitions
3.1
access
ability or the means necessary to read, write, modify, or communicate data/information or otherwise make
use of any system resource
[HIPAA]
provision of an opportunity to approach, inspect, review, make use of data or information
[CPRI]
specific type of interaction between a subject and an object that results in the flow of information from one to
the other
[GCST]
3.2
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[ISO/IEC 2382-8]
prevention of an unauthorized use of a resource, including the prevention of use of a resource in an
unauthorized manner
[ISO 7498-2]
policies and procedures preventing access by those who are not authorized to have it
[IOM]
3.3
accountability
property that ensures that the actions of an entity can be traced uniquely to the entity
[ISO 7498-2]
concept that individual persons or entities can be held responsible for specified actions
[NRC]
obligation to disclose periodically, in adequate detail and consistent form, to all directly and indirectly
responsible or properly interested parties, the purposes, principles, procedures, relationships, results,
incomes and expenditures involved in any activity, enterprise, or assignment so that they can be evaluated
by the interested parties
[JCAHO]
3.4
actor
•with respect to an action •an enterprise object (or entity) that participates in the action
[ISO/IEC 15414]
3.5
agent
enterprise object (or entity) that has been delegated (authority, a function, etc.) by and acts for another (in
exercising the authority, performing the function, etc.)
3.6
application
identifiable computer running a software process
NOTE 1 In this context, it may be any software process used in healthcare information systems including those without
any direct role in treatment or diagnosis.
NOTE 2 In some jurisdictions, including software processes may be regulated medical devices.
2 © ISO 2004 – All rights reserved

3.7
architecture
set of principles on which the logical structure and interrelationships to an organization and business context
are based
NOTE Software architecture is the result of software design activity.
3.8
archived (records)
archival (records)
healthcare data saved for later reference or use, possibly off-line
[COACH]
3.9
assurance
grounds for confidence, surety, certitude
grounds for confidence that an entity meets its security objectives
[ISO/IEC 15408-1:1999]
development, documentation, testing, procedural and operational activities carried out to ensure a system's
security services do in fact provide the claimed level of protection
[OMG 97]
3.10
audit control
mechanisms employed to record and examine system activity
3.11
audit trail
record of the resources which were accessed and/or used by whom
[ISO 7498-2]
documentary evidence of monitoring each operation (of healthcare entities) on health information
[NRC]
chronological record of system activities that is sufficient to enable the reconstruction, reviewing and
examination of the sequence of environments and activities surrounding or leading to an operation, a
procedure, or an event in a transaction from its inception to final results
[GCST]
3.12
authentication of health record entries
process used to verify that an entry is complete, accurate and final
[JCAHO]
3.13
authentication
providing assurance regarding the identity of a subject (author) or object (information)
[ASTM E1762]
3.14
authentication (data)
verification of the integrity of data that have been stored, transmitted or otherwise exposed to possible
unauthorized modification
[GCST]
3.15
authentication (data source)
corroboration that the source of data received is as claimed
[ISO 7498-2]
3.16
authentication (user)
provision of assurance of the claimed identity of an entity
[ISO/IEC 10181-2]
3.17
authorize
authorization
granting of rights, which includes granting of access based on access rights
[ISO 7498-2]
prescription that a particular behaviour must not be prevented
[ISO/IEC 15414]
3.18
authorized user
user who may, in accordance with the Security Policy, perform an operation
3.19
availability
property of being accessible and useable upon demand by an authorized entity
[ISO 7498-2]
prevention of the unauthorized withholding of information or resources
[ITSEC]
3.20
business unit
discrete and accountable function or sub-function within an organization
NOTE For example, a business unit includes a department, service or speciality of a healthcare provider organization.
3.21
care
provision of accommodations, comfort and treatment to an individual subject of care (patient), also implying
responsibility for safety
[JCAHO]
3.22
caregiver
cf. healthcare professional
3.23
clinical information
information about a subject of care, relevant to the health or treatment of that subject of care, that is
recorded by or on behalf of a healthcare person
[CEN ENV 1613:1995]
data/information related to the health and healthcare of an individual collected from or about an individual
receiving healthcare services: includes a caregiver's objective measurement or subjective evaluation of a
patient's physical or mental state of health; descriptions of an individual's health history and family health
history; diagnostic studies; decision rationale; descriptions of procedures performed; findings; therapeutic
interventions; medication prescribed; description of responses to treatment; prognostic statements; and
descriptions of socio-economic and environmental factors related to the patient's health
[ASTM E1769, CPRI]
3.24
code set
any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical
diagnostic codes, or medical procedure codes
3.25
coding scheme
4 © ISO 2004 – All rights reserved

collection of rules that maps the elements of one set on to the elements of a second set
3.26
complete health record
final, assembled and authenticated, health record for an individual
(health) record is complete when a) its contents reflect the diagnosis, results of diagnostic tests, therapy
rendered, condition and progress (of the subject of care), and condition (of the subject of care) at discharge,
and b) its contents, including any required clinical résumé or final progress notes, are assembled and
authenticated, and all final diagnoses and any complications are recorded without use of symbols or
abbreviations
[JCAHO]
3.27
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities or processes
[ISO 7498-2]
condition in which information is shared or released in a controlled manner
[NRC]
prevention of the unauthorized disclosure of information
[ITSEC]
restriction of access to data and information to individuals who have a need, a reason and permission for
access
[JCAHO]
status accorded to data or information indicating that it is sensitive for some reason, and that therefore it
needs to be protected against theft or improper use and must be disseminated only to individuals or
organizations authorized to have it
[OTA]
3.28
credentials (for identity)
data that are transferred to establish the claimed identity of an entity
[ISO/IEC 2382-8]
3.29
credentials (for healthcare practice)
documented evidence of (a healthcare professional's) licensure, education, training, experience, or other
qualifications
[JCAHO]
3.30
criteria
expected level(s) of achievement, or specifications against which performance can be assessed
[JCAHO]
3.31
data attribute, element or item
single unit of data that in a certain context is considered indivisible
3.32
data transmission
data transmittal
sending of data or information from one location to another location
[JCAHO]
exchange of data between person and program, or program and program, when the sender and receiver are
remote from each other
[CPRI]
3.33
de-identified data
data resulting from personally identifiable information after the process of removing or altering one or more
attributes so that the (direct or indirect) identification of the relevant person without knowledge of the initial
information is either impossible or requires an unreasonable amount of time and manpower
[MEDSEC]
3.34
digital signature
data appended to, or a cryptographic transformation (see cryptography) of a data unit that allows a recipient
of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the
recipient
[ISO 7498-2]
electronic signature based upon cryptographic methods of originator authentication, computed by using a
set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be
verified
[HIPAA]
NOTE This term is usually reserved for digital values or checksums calculated using asymmetric techniques, where only
the originator of the message can generate the digital signature but many people can verify it.
3.35
disclosure (of health information)
release, transfer, provision of access to, or divulging in any other manner of information outside the entity
holding the information
[HIPAA]
release of information to third parties within or outside the healthcare provider organization from an
individual's (health) record with or without the consent of the individual to whom the record pertains
[CPRI]
3.36
documentation
process of recording information in the (health) record
[JCAHO]
3.37
electronic health record
EHR
electronic healthcare record
ECHR
health record concerning the subject of care in computer-readable form
[CEN ENV13606-1]
3.38
entity
object modelling a natural person or any other entity considered to have the same rights, powers and duties
of a natural person
[ISO/IEC 15414]
3.39
episode of care
identifiable grouping of healthcare related activity characterized by the entity relationship between the
subject of care and a healthcare provider, such a grouping determined by the healthcare provider
3.40
health information
any information, whether oral or recorded in any form or medium, that a) is created or received by a
healthcare provider, health plan, public health authority, employer, life insurer, school or university, or
healthcare clearing-house; and b) relates to the past, present, or future physical or mental health or
condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment
6 © ISO 2004 – All rights reserved

for the provision of healthcare to an individual
[HIPAA]
3.41
health record
healthcare record
account compiled [by healthcare entities (e.g., healthcare professionals)] of a variety of (subject of care)
health information, such as the (subject of care's) assessment findings, treatment details and progress notes
[JCAHO]
3.42
health record entry
healthcare record entry
dataset, suitably attributed, which forms part of, or a whole, contribution to a health(care) record at one place
and time
[CEN ENV 13606-2]
3.43
healthcare
care, services, or supplies related to the health of an individual
[HIPAA]
NOTE Includes any: a) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counselling,
service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the
structure or function of the body; b) sale or dispensing of a drug, device, equipment, or other item pursuant to a
prescription; or c) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.
3.44
healthcare agent
medical devices (e.g. instruments, monitors) and software (e.g. applications, components) which: a) perform
a role in the provision of healthcare services; and/or b) are accountable for actions related to, and/or
ascribed in, the health record
[CEN ENV12265, modified]
3.45
healthcare data
data which are input, stored, processed or output by the automated information system which support the
clinical and business functions of a healthcare organization; these data may relate to person identifiable
records or may be part of an administrative system where persons are not identified
[HL7]
3.46
healthcare informatics
scientific discipline that is concerned with the cognitive, information processing and communication tasks of
healthcare practice, education and research, including the information science and technology to support
these tasks
[Directory of the European Standardization Requirements for Healthcare Informatics and Telematics v2.1,
1994]
3.47
healthcare organization
generic term used to describe many types of organizations that provide healthcare services
[JCAHO]
3.48
healthcare entity
individuals, organizations or business units, including: a) subjects of care (patients, health plan members); b)
those involved in the direct or indirect provision of healthcare services to an individual or to a population;
and/or c) those accountable for actions related to, and/or ascribed in, the health record
[CEN ENV 1613:1995, modified]
3.49
healthcare professional
person that is authorized by a nationally recognized body to be qualified to perform certain health services
individual who is entrusted with the direct or indirect provision of defined healthcare services to an individual
subject of care or to populations
[CEN ENV 1613: 1995]
NOTE 1 The types of registering or accrediting bodies differ in different countries and for different professions. Nationally
recognized bodies include local or regional governmental agencies, independent professional associations and other
formally and nationally recognized organizations. They may be exclusive or non-exclusive in their territory.
NOTE 2 Examples of health professionals are physicians, registered nurses and pharmacists.
3.50
healthcare provider
healthcare organization or healthcare professional responsible for the provision of healthcare to a subject of
care or to a population
[CEN 13940:2000]
3.51
health plan
individual or group plan that provides, or pays the cost of, medical care
[HIPAA]
3.52
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding
authenticator
[CEN ENV 13608-1]
3.53
indelible
indelibility
impossible to remove or erase, permanent
3.54
indicator (of performance)
measure used to determine over time, (an organization's) performance of functions, processes and
outcomes
[JCAHO]
3.55
individually identifiable health information
any information, including demographic information collected from an individual, that a) is created or
received by a healthcare provider, health plan employer, or healthcare clearing-house; and b) relates to the
past, present or future physical or mental health or condition of an individual, the provision of healthcare to
an individual, or the past, present, or future payment for the provision of healthcare to an individual, and i)
identifies the individual, or ii) with respect to which there is a reasonable basis to believe that the information
can be used to identify the individual
[HIPAA]
3.56
information
interpreted set(s) of data that can assist in decision making
[JCAHO]
data to which meaning is assigned, according to context and assumed conventions
[NSC]
3.57
integrity (data)
property that data has not been altered or destroyed in an unauthorized manner
[ISO 7498-2]
accuracy, consistency and completeness of data
[JCAHO]
8 © ISO 2004 – All rights reserved

3.58
integrity (message)
proof that the message content has not altered, deliberately or accidentally in any way, during transmission
[ISO/IEC 7498-2]
3.59
interface
process that permits the flow of data from one system to another in a structured manner
3.60
interoperability
with regard to a specific task is said to exist between two applications when one application can accept data
from the other and perform the task in an appropriate and satisfactory manner (as judged by the user of the
receiving system) without the need for extra operator intervention
[CEN]
ability of software and hardware on multiple machines from multiple vendors to communicate; ability of a
system to use the parts or equipment of another system
3.61
longitudinal or lifetime personal health record
permanent, coordinated record of significant information, in chronological sequence; it may include all
historical data collected or be retrieved as a user designated synopsis of significant demographic, genetic,
clinical and environmental facts and events maintained within an automated system
[ASTM E1384]
3.62
master file
dataset containing definitional entries in common across system, business units and, in some cases,
organizational boundaries
NOTE For example, master files may include data group and attribute definitions, security policy and domain definitions,
security classification and clearance definitions, healthcare service definitions, care protocol definitions.
3.63
measure
measurement
collect quantifiable data about a function or process
[JCAHO]
3.64
message
logically ordered dataset designed to communicate essential information between systems
3.65
need-to-know
legitimate requirement of a prospective recipient of data to know, to access, or to possess any sensitive
information represented by these data
[ISO/IEC 2382-8]
users should have access only to the data he or she needs to perform a particular function
[HIPAA]
3.66
network
electronic data transmission facility which can comprise of just a point-to-point wire link between two
devices, or a complex arrangement of transmission lines
3.67
organization
unique framework of authority within which a person or persons act, or are designated to act towards the
same purpose
3.68
outcome
result of the performance (or non-performance) of a function or process(es)
[JCAHO]
3.69
patient
cf. subject of care
3.70
performance
way in which an individual, group or organization carries out or accomplishes its important functions and
processes
[JCAHO]
execution, accomplishment, fulfillment; operation or functioning, usually with regard to effectiveness
[Webster's New World Dictionary]
3.71
performance measure
measure, such as a standard or indicator, used to assess the performance of a function or process of any
organization quantification of processes and outcomes using one or more dimensions of performance, such
as timeliness or availability
[JCAHO]
3.72
persistent
persistence
enduring
existing or remaining in the same state for an indefinitely long time
3.73
personal health information
PHI
any information that concerns a person's health, medical history, medical treatment or genetic
characteristics in a form that enables the person to be identified
[MEDSEC]
3.74
personal information
any information relating to an identified or identifiable natural person
[EU Directive 95/46/EC, MEDSEC]
3.75
privacy
freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or
illegal gathering and use of data about that individual
[ISO/IEC 2382-8]
right of individuals to keep information about themselves from being disclosed to anyone
[CPRI]
security principle that protects individuals from the collection, storage and dissemination of information about
themselves and the possible compromises resulting from unauthorized release of that information
[HL7 Security SIG]
3.76
process
collection of steps taking place in a prescribed manner and leading to the accomplishment of some result
[ISO/IEC 15414]
10 © ISO 2004 – All rights reserved

goal-directed, interrelated series of actions, events, mechanisms, or steps
[JCAHO]
3.77
protocol (care)
cf. critical paths
3.78
quality
totality of features and characteristics of a product, process or service that bear on its ability to satisfy its
stated or intended needs
[CEN]
character, characteristic or property of anything that makes it good or bad, commendable or reprehensible;
thus the degree of excellence that a thing possesses; totality of features and characteristics of a product or
service that bear on its ability to satisfy stated or implied needs; fitness for use
[JCAHO]
3.79
registry
server capable of holding data for the systematic and continuous follow up of information objects maintained
in accordance with specific rules
3.80
resource
enterprise object modelling an entity which is essential to some behaviour and which requires allocation or
may become unavailable because it is in use or used up
[ISO/IEC 15414]
3.81
retention
maintenance and preservation of information in some form (e.g. paper, microfilm, or electronic storage) for a
given period of time
[CPRI]
3.82
secondary record
record that is derived from the primary record and contains selected data elements
[ASTM E1384]
3.83
security
combination of availability, confidentiality, integrity and accountability
[CEN ENV 13608-1]
protection of information systems against unauthorized access to or modification of information, whether in
storage, processing, or transit, and against the denial of service to authorized users or the provision of
service to unauthorized users, including those measures necessary to detect, document and counter such
threats
[NSC]
preservation of the confidentiality and integrity of data as well as ensuring the accountability and availability
of data; combination of availability, confidentiality, integrity and accountability
[CEN ENV 12924, MEDSEC]
result of effective protection measures that safeguard data/information from undesired occurrences and
exposure to accidental or intentional disclosure to unauthorized persons, accidental or malicious alteration,
unauthorized copying, software deficiencies, operating mistakes, or sabotage
[IOM]
3.84
security (data)
protection of data from intentional or unintentional destruction, modification, or disclosure
[JCAHO]
3.85
security policy
plan or course of action adopted for providing computer security
[ISO/IEC 2382-8]
set of laws, rules, and practices that regulate how an organization manages, protects and distributes
sensitive information
[DOD Orange Book]
framework within which an organization establishes needed levels of information security to achieve the
desired confidentiality goals; statement of information values, protection responsibilities and organization
commitment for a system; set of laws, rules and practices that regulate how an organization manages,
protects and distributes sensitive information
[OTA]
3.86
standard
document, established by consensus and approved by a recognized body, that provides, for common and
repeated use, rules, guidelines, or characteristics for activities or their results, aimed at the achievement of
the optimum degree of order in a given context
[ISO/IEC Guide 2: 1996]
NOTE Standards should be based on the consolidated results of science, technology and experience, and aimed at the
promotion of optimum community benefits.
3.87
subject of care
person or defined groups of persons receiving or registered as eligible to receive healthcare services or
having received healthcare services
[CEN ENV 12443:1996]
NOTE For example, a patient, client, customer, or health plan member.
3.88
trust
confidence; a basis of reliance, faith, or hope; assured reliance on the character, strength, or truth of
someone or something
[Merriam-Webster's Dictionary]
3.89
trusted system
system believed to enforce a given set of attributes to a stated degree of assurance (confidence)
[NRC]
system that employs sufficient hardware and software assurance measures to allow its use for simultaneous
processing of a range of sensitive or classified information
[GCST]
3.90
use (of health information)
sharing, employment, application, utilization, examination, or analysis of such information
[HIPAA]
3.91
user
person or other entity authorized by a provider to use some or all of the services provided by the provider
[COACH]
12 © ISO 2004 – All rights reserved

human being using the system to issue requests to objects in order to get them to perform functions in the
system on his/her behalf
[OMG]
4 Abbreviated terms
ACR American College of Radiologists
ADA American Dental Association
ANSI American National Standards Institute
API Application Program Interface
ASC X12 Accredited Standards Committee X12, an ANSI Accredited SDO
ASTM E31 American Society for Testing Materials, Committee E31 on Healthcare Informatics
DICOM Digital Imaging and Communications in Medicine; standard developed by NEMA
CCITT Consultative Committee on International Telephony and Telegraphy
CEN Comité Européen de Normalisation, European Committee for Normalization
CIHI Canadian Institute for Health Information
CMS Center for Medicare and Medicaid Services, U.S. DHHS
COACH Canadian Organisation for the Advancement of Computers in Health (now Canadian
Health Informatics Association)
CPRI Computer-Based Patient Record Institute
DHHS U.S. Department of Health and Human Services
DICOM Digital Image Communications, ACR/NEMA
DOD U.S. Department of Defense
EDI Electronic Data Interchange
EDIFACT Electronic Data Interchange for Administration, Commerce and Transport (also referred to
as UN/EDIFACT)
EHR, EHCR electronic health record, electronic healthcare record
ENV CEN European Pre-Standard
GCST US DOD Glossary of Computer Security Terms
HCFA US DHHS Healthcare Financing Administration (now CMS - Center for Medicare and
Medicaid Services)
HIPAA Health Insurance Portability and Accountability Act of 1996, US Public Law 104-191
HISB ANSI Healthcare Informatics Standards Board
HL7 Health Level Seven, an ANSI Accredited SDO
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronics Engineers
IOM Institute of Medicine, a body of the US National Institutes of Health
ISO International Organization for Standardization
ISO TC215 ISO Technical Committee 215 on Healthcare Informatics
ITSEC Information Technology Security Evaluation Criteria
JCAHO Joint Commission for Accreditation of Healthcare Organizations
MEDSEC Healthcare Security and Privacy in the Information Society, project sponsored by the
European Commission
MIB IEEE Committee P1073, Medical Information Bus
NCQA National Council for Quality Assurance (US)
NCVHS U.S. DHHS National Council for Vital and Health Statistics
14 © ISO 2004 – All rights reserved

NEHRT National Electronic Health Records Taskforce (Australia)
NEMA National Electrical Manufacturers Association
NHS National Health Service (UK)
NIST National Institute for Standards and Technology (US)
NMB ISO National Member Body
NRC National Research Council (US)
NSC National Security Council (US)
OMG Object Management Group
OTA Office of Technology Assessment (US)
PKC Public Key Certificate
PKI Public Key Infrastructure
SDO Standards Developing Organization
SIG Special Interest Group
SNIP Strategic National Implementation Program (for HIPAA), WEDI
TR ISO Technical Report
USHIK U.S. Health Information KnowledgeBase, a meta-data registry maintained by the U.S.
DHHS (CMS) and DOD, based on ISO 11179
UN United Nations
WEDI Work Group for Electronic Data Interchange
WG2 ISO TC215, Working Group 2 on Messaging and Communications
5 Overview - Characteristics Essential to Trusted End-to-End Information Flows
Intra-Enterprise e.g. Extra-Enterprise/3rd Party
Healthcare provider Payer, health plan
IDN: Integrated Delivery Network Business associate
HMO: Health Maintenance Organization Accreditation, governance
Public health agency
Research
Interface Interface Interface
Front-End Front-End Back-End
Downstream Downstream Downstream
Third Party
e.g., Device or e.g., Dept or e.g., Repository
Data Flow Data Flow Data Flow
Instrument Function App or Financial App
Common Common Common
Originate/ Originate/ Accumulate/
Interchange Interchange Interchange
Capture Store
Capture
Standards: Standards: Standards:
Process Process/
Process
ASTM E1394 ASTM E1238  X12N EDI
Accumulate/ Aggregate/
Accumulate/
DICOM v3 DICOM v3  EDIFACT
Store Extract/
Store
HL7 v2.x HL7 v2.x  HL7 v2.x
Derive
Report
Mediator? Mediator? Intermediary?
Initiate claim
Translation? Translation? Translation?
Data Flow: to Third Party
Downstream Data Flow: Front to Back-end, Source to Consumer
Chain of Trust
• Subject of care health record
• Provider business (operations) record
• Healthcare professional service record
Individually Identifiable,
Privacy/Confidentiality: Individually Identifiable Information
De-identified or Aliased
Interchange Content, e.g.,
• Patient/member health records, protected as individually identifiable Interchange Content: e.g.,
• Patient account, insurance records • Personal health records
• Clinical data • Claims, attachments
• Administrative and operational data • Public health reporting
• Measures/indicators: performance, quality, compliance, utilization, • Measures/Indicators
productivity, costs
• Research extracts
Accountability, of:
• Individuals: Healthcare Professionals, Authors, Scribes, Verifiers…
• Business units: Departments, Services, Specialties
• Organizations: Providers, Health Plans…
Auditability, Traceability, Audit Trails
• Access/us
...