ASTM E1986-09
(Guide)Standard Guide for Information Access Privileges to Health Information
Standard Guide for Information Access Privileges to Health Information
SIGNIFICANCE AND USE
The maintenance of confidentiality in paper-based, electronic, or computer-based health information requires that policies and procedures be in place to protect confidentiality. Confidentiality of information depends on structural and explicit mechanisms to allow persons or systems to define who has access to what, and in what situation that access is granted. For guidelines on the development and implementation of privilege management infrastructures supporting these mechanisms, see Guide E2595.
Confidential protection of data elements is a specific requirement. The classification of data elements into restrictive and specifically controlled categories is set by policies, professional practice, and laws, legislation, and regulations.
There are three explicit concepts upon which the use of and access to health information confidentiality are defined. Each of these concepts is an explicit and unique characteristic relevant to confidentiality, but only through the combination (convergence) of all three concepts can appropriate access to an explicit data element at a specific point in time be provided, and unauthorized access denied. The three concepts are:
The categorization and breakdown of data into logical and reasonable elements or entities.
The identification of individual roles or job functions.
The establishment of context and conditions of data use at a specific point in time, and within a specific setting.
The overriding principle in preserving the confidentiality of information is to provide access to that information only under circumstances and to individuals when there is an absolute, established, and recognized need to access that data, and the information accessed should itself be constrained only to that information essential to accomplish a defined and recognized task or process. Information nonessential to that task or process should ideally not be accessible, even though an individual accessing that information may have some general righ...
SCOPE
1.1 This guide covers the process of granting and maintaining access privileges to health information. It directly addresses the maintenance of confidentiality of personal, provider, and organizational data in the healthcare domain. It addresses a wide range of data and data elements not all traditionally defined as healthcare data, but all elemental in the provision of data management, data services, and administrative and clinical healthcare services. In addition, this guide addresses specific requirements for granting access privileges to patient-specific health information during health emergencies.
1.2 This guide is based on long-term existing and established professional practices in the management of healthcare administrative and clinical data. Healthcare data, and specifically healthcare records (also referred to as medical records or patient records), are generally managed under similar professional practices throughout the United States, essentially regardless of specific variations in local, regional, state, and federal laws regarding rules and requirements for data and record management.
1.3 This guide applies to all individuals, groups, organizations, data-users, data-managers, and public and private firms, companies, agencies, departments, bureaus, service-providers, and similar entities that collect individual, group, and organizational data related to health care.
1.4 This guide applies to all collection, use, management, maintenance, disclosure, and access of all individual, group, and organizational data related to health care.
1.5 This guide does not attempt to address specific legislative and regulatory issues regarding individual, group, and organizational rights to protection of privacy.
1.6 This guide covers all methods of collection and use of data whether paper-based, written, printed, typed, dictated, transcribed, forms-based, photocopied, scanned, facsimile, telefax, magnetic media, ...
General Information
Relations
Buy Standard
Standards Content (Sample)
NOTICE: This standard has either been superseded and replaced by a new version or withdrawn.
Contact ASTM International (www.astm.org) for the latest information
Designation: E1986 − 09 AnAmerican National Standard
Standard Guide for
1
Information Access Privileges to Health Information
This standard is issued under the fixed designation E1986; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope* picture, film, microfilm, animation, 3D, audio, digital media,
optical media, synthetic media, or computer-based.
1.1 This guide covers the process of granting and maintain-
ing access privileges to health information. It directly ad-
1.7 This guide does not directly define explicit disease-
dresses the maintenance of confidentiality of personal,
specific and evaluation/treatment-specific data control or
provider, and organizational data in the healthcare domain. It
access, or both. As defined under this guide, the confidential
addresses a wide range of data and data elements not all
protection of elemental data elements in relation to which data
traditionally defined as healthcare data, but all elemental in the
elements fall into restrictive or specifically controlled
provision of data management, data services, and administra-
categories, or both, is set by policies, professional practice, and
tive and clinical healthcare services. In addition, this guide
laws, legislation and regulations.
addresses specific requirements for granting access privileges
to patient-specific health information during health emergen-
2. Referenced Documents
cies.
2
2.1 ASTM Standards:
1.2 This guide is based on long-term existing and estab-
E1869 Guide for Confidentiality, Privacy, Access, and Data
lished professional practices in the management of healthcare
Security Principles for Health Information Including Elec-
administrative and clinical data. Healthcare data, and specifi-
tronic Health Records
cally healthcare records (also referred to as medical records or
E2595 Guide for Privilege Management Infrastructure
patient records), are generally managed under similar profes-
sional practices throughout the United States, essentially re-
3. Terminology
gardless of specific variations in local, regional, state, and
3.1 Definitions:
federal laws regarding rules and requirements for data and
3.1.1 access—the provision of an opportunity to approach,
record management.
inspect, review, retrieve, store, communicate with, or make use
1.3 This guide applies to all individuals, groups,
ofhealthinformationsystemresources(forexample,hardware,
organizations, data-users, data-managers, and public and pri-
software, systems, or structure) or patient identifiable data and
vatefirms,companies,agencies,departments,bureaus,service-
information, or both. (E1869)
providers, and similar entities that collect individual, group,
3.1.2 access control—the prevention of unauthorized use of
and organizational data related to health care.
a resource, including the prevention of use of a resource in an
1.4 This guide applies to all collection, use, management,
unauthorized manner.
maintenance, disclosure, and access of all individual, group,
3.1.2.1 Discussion—Access control counters the threat of
and organizational data related to health care.
unauthorized access to, disclosure of, or modification of data.
(ISO 7498-2)
1.5 This guide does not attempt to address specific legisla-
tive and regulatory issues regarding individual, group, and
3.1.3 accountability—the property that ensures that the
organizational rights to protection of privacy.
actions of an entity can be traced. (ISO 7498-2)
1.6 This guide covers all methods of collection and use of
3.1.4 audit trail—data collected and potentially used to
data whether paper-based, written, printed, typed, dictated,
facilitate a security audit. (ISO 7498-2)
transcribed, forms-based, photocopied, scanned, facsimile,
3.1.5 authentication—the corroboration that an entity is the
telefax, magnetic media, image, video, motion picture, still
one claimed. (ISO 7498-2)
1
This guide is under the jurisdiction of ASTM Committee E31 on Healthcare
Informatics and is the direct responsibility of Subcommittee E31.25 on Healthcare
2
Data Management, Security, Confidentiality, and Privacy. For referenced ASTM standards, visit the ASTM website, www.astm.org, or
Current edition approved Dec. 1, 2009. Published January 2010. Originally contact ASTM Customer Service at service@astm.org. For Annual Book of ASTM
approved in 1998. Last previous edition approved in 2005 as E1986 – 98(2005). Standards volume information, refer to the standard’s Document Summary page on
DOI: 10.1520/E1986-09. the ASTM website.
*A Summary of Changes section appears at the end of this standard
Copyright © ASTM International, 10
...
This document is not anASTM standard and is intended only to provide the user of anASTM standard an indication of what changes have been made to the previous version. Because
it may not be technically possible to adequately depict all changes accurately, ASTM recommends that users consult prior editions as appropriate. In all cases only the current version
of the standard as published by ASTM is to be considered the official document.
An American National Standard
Designation:E1986–98 (Reapproved 2005) Designation:E1986–09
Standard Guide for
1
Information Access Privileges to Health Information
This standard is issued under the fixed designation E1986; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope*
1.1 This guide covers the process of granting and maintaining access privileges to health information. It directly addresses the
maintenance of confidentiality of personal, provider, and organizational data in the healthcare domain. It addresses a wide range
of data and data elements not all traditionally defined as healthcare data, but all elemental in the provision of data management,
data services, and administrative and clinical healthcare services. In addition, this guide addresses specific requirements for
granting access privileges to patient-specific health information during health emergencies.
1.2 This guide is based on long-term existing and established professional practices in the management of healthcare
administrative and clinical data. Healthcare data, and specifically healthcare records (also referred to as medical records or patient
records),aregenerallymanagedundersimilarprofessionalpracticesthroughouttheUnitedStates,essentiallyregardlessofspecific
variations in local, regional, state, and federal laws regarding rules and requirements for data and record management.
1.3 This guide applies to all individuals, groups, organizations, data-users, data-managers, and public and private firms,
companies,agencies,departments,bureaus,service-providers,andsimilarentitiesthatcollectindividual,group,andorganizational
data related to health care.
1.4 This guide applies to all collection, use, management, maintenance, disclosure, and access of all individual, group, and
organizational data related to health care.
1.5 This guide does not attempt to address specific legislative and regulatory issues regarding individual, group, and
organizational rights to protection of privacy.
1.6 This guide covers all methods of collection and use of data whether paper-based, written, printed, typed, dictated,
transcribed, forms-based, photocopied, scanned, facsimile, telefax, magnetic media, image, video, motion picture, still picture,
film, microfilm, animation, 3D, audio, digital media, optical media, synthetic media, or computer-based.
1.7 Thisguidedoesnotdirectlydefineexplicitdisease-specificandevaluation/treatment-specificdatacontroloraccess,orboth.
As defined under this guide, the confidential protection of elemental data elements in relation to which data elements fall into
restrictive or specifically controlled categories, or both, is set by policies, professional practice, and laws, legislation and
regulations.
2. Referenced Documents
2
2.1 ASTM Standards:
E1869 Guide for Confidentiality, Privacy, Access, and Data Security Principles for Health Information Including Electronic
Health Records Guide for Confidentiality, Privacy, Access, and Data Security Principles for Health Information Including
Electronic Health Records
E2595 Guide for Privilege Management Infrastructure
3. Terminology
3.1 Definitions:
3.1.1 access—the provision of an opportunity to approach, inspect, review, retrieve, store, communicate with, or make use of
health information system resources (for example, hardware, software, systems, or structure) or patient identifiable data and
information, or both. (E1869)
3.1.2 access control—the prevention of unauthorized use of a resource, including the prevention of use of a resource in an
unauthorized manner.
3.1.2.1 Discussion—Access control counters the threat of unauthorized access to, disclosure of, or modification of data.
1
This guide is under the jurisdiction of ASTM Committee E31 on Healthcare Informatics and is the direct responsibility of Subcommittee E31.25 on Healthcare Data
Management, Security, Confidentiality, and Privacy.
Current edition approved July 17, 2006.Dec. 1, 2009. Published January 2006.2010. Originally approved in 1998. Last previous edition approved in 19982005 as
E1986 – 98(2005). DOI: 10.1520/E1986-98R05.10.1520/E1986-09.
2
For referencedASTM standards, visit theASTM website, www.astm.org, or contactASTM Customer Service at service@astm.org. For Annual Book of ASTM Standards
volume information, refer to the standard’s Document Summary
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.