M00001507
New product
ISO TS 17975 1st Edition, September 15, 2015 Health informatics - Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
In stock
Warning: Last items in stock!
Availability date: 07/13/2021
Description / Abstract:
This Technical Specification defines the set of frameworks of
consent for the Collection, Use and/or Disclosure of personal
information by health care practitioners or organizations that are
frequently used to obtain agreement to process the personal health
information of subjects of care. This is in order to provide an
Informational Consent framework which can be specified and used by
individual policy domains (e.g. healthcare organizations, regional
health authorities, jurisdictions, countries) as an aid to the
consistent management of information in the delivery of health care
services and the communication of electronic health records across
organizational and jurisdictional boundaries.
The scope of application of this Technical Specification is
limited to Personal Health Information (PHI) as defined in ISO
27799, "information about an identifiable person that relates to
the physical or mental health of the individual, or to provision of
health services to the individual. This information might
include:
— information about the registration of the individual for the
provision of health services;
— information about payments or eligibility for health care in
respect to the individual;
— a number, symbol or particular code assigned to an individual
to uniquely identify the individual for health purposes;
— any information about the individual that is collected in the
course of the provision of health services to the individual;
— information derived from the testing or examination of a body
part or bodily substance;
— identification of a person, e.g. a health professional, as a
provider of healthcare to the individual."
Good practice requirements are specified for each framework of
Informational Consent. Adherence to these requirements is intended
to ensure any subject of care and any parties that process personal
health information that their agreement to do so has been properly
obtained and correctly specified.
The Technical Specification is intended to be used to
inform:
— discussion of national or jurisdictional Informational Consent
policies;
— ways in which individuals and the public are informed about
how personal health information is processed within organizations
providing health services and health systems;
— how to judge the adequacy of the information provided when
seeking Informational Consent;
— design of both paper and electronic Informational Consent
declaration forms;
— design of those portions of electronic privacy policy services
and security services that regulate access to personal health
data;
— working practices of organizations and personnel who obtain or
comply with consent for processing personal health information.
The Technical Specification does not:
— address the granting of consent to the delivery of
healthcare-related treatment and care. Consent to the delivery of
care or treatment has its own specific requirements, and is
distinct from Informational Consent. Note that as Consent to
Treatment and Care are outside the scope of this Technical
Specification, the phrase "informational consent" is hereafter
supplanted by the shorter "consent". In every case, it is
Informational Consent that is intended;
— specify any jurisdiction's legal requirements or regulations
relating to consent. The focus is on frameworks, not on
jurisdictional legislation or its adequacy in any given
jurisdiction. While care has been taken to design the frameworks so
that they do not conflict with the legislation in most
jurisdictions, they might challenge some existing practices. This
Technical Specification uses an approach that allows organizations
or jurisdictions to select a subset of those frameworks which best
fit their law culture and approach to data sharing;
— specify what consent framework is to be applied to a data
classification or data purpose as this may vary according to law or
policy, although some examples of implementation profiles are
provided in an informative Annex;
— determine the legal adequacy of the information upon which the
consent is based or possible legal consequences of inadequate
information;
— specify the data format used when consent status is
communicated. The focus is on the information characteristics of
consent, and not the technology or medium in which the
characteristics are instantiated;
— specify how individuals giving Informed Consent come to be
informed of the responsibilities, obligations and consequences
related to granting consent;
— specify how individuals are to be informed of the specifics of
the data, data sharing or data processing concerned;
— specify how consent itself or the specific activities of the
consent process are to be recorded; only that they be recorded.
Specific requirements on recording consent in EHR systems are given
in ISO/TS 14441, 5.3.2;
— specify any information security requirements (e.g. the use of
encryption or specific forms of user authentication) as these are
the subject of other standards (e.g. ISO 27799).