iTeh Standards logo
EURUSD
Your shopping cart is empty.
CEN

EN 14484:2003

(Main)

Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy

Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy

This item will provide guidance on the data protection policy which should be implemented by organisations which are participants in international applications which involve transfer of person identifiable data across national borders and which require compliance with the EU Data Protection Directive.

Medizinische Informatik - Internationaler Austausch von unter die EU-Datenschutzrichtlinie fallenden persönlichen Gesundheitsdaten - Generelle Sicherheits-Statements

Informatique de santé - Transfert international des données personelles de santé couvertes par la directive européenne sur la protection des données personelles - Politique de sécurité de haut niveau

Zdravstvena informatika – Mednarodni prenos osebnih zdravstvenih podatkov v skladu z določili Direktive EU o varstvu podatkov – Visoka raven varnosti

General Information

Status
Published
Publication Date
16-Dec-2003
Withdrawal Date
29-Jun-2004
ICS
35.240.80 - IT applications in health care technology
Technical Committee
CEN/TC 251 - Medical informatics
Drafting Committee
CEN/TC 251/WG 1 - Information models
Current Stage
9060 - Closure of 2 Year Review Enquiry - Review Enquiry
Start Date
02-Dec-2017
Completion Date
02-Dec-2017
Ref Project
SIST EN 14484:2004 - Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy
EN 14484:2004EN 14484:2004
PreviousNext
Standard
EN 14484:2004
English language
55 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.YDUQRVWLMedizinische Informatik - Internationaler Austausch von unter die EU-Datenschutzrichtlinie fallenden persönlichen Gesundheitsdaten - Generelle Sicherheits-StatementsInformatique de santé - Transfert international des données personelles de santé couvertes par la directive européenne sur la protection des données personelles - Politique de sécurité de haut niveauHealth informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy35.240.80Uporabniške rešitve IT v zdravstveni tehnikiIT applications in health care technologyICS:Ta slovenski standard je istoveten z:EN 14484:2003SIST EN 14484:2004en01-maj-2004SIST EN 14484:2004SLOVENSKI
STANDARD
EUROPEAN STANDARDNORME EUROPÉENNEEUROPÄISCHE NORMEN 14484December 2003ICS 35.240.80English versionHealth informatics - International transfer of personal health datacovered by the EU data protection directive - High level securitypolicyInformatique de santé - Transfert international des donnéespersonelles de santé couvertes par la directive européennesur la protection des données personelles - Politique desécurité de haut niveauMedizinische Informatik - Internationaler Austausch vonunter die EU-Datenschutzrichtlinie fallenden persönlichenGesundheitsdaten - Generelle Sicherheits-StatementsThis European Standard was approved by CEN on 13 November 2003.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Management Centre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and UnitedKingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMITÉ EUROPÉEN DE NORMALISATIONEUROPÄISCHES KOMITEE FÜR NORMUNGManagement Centre: rue de Stassart, 36
B-1050 Brussels© 2003 CENAll rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 14484:2003 ESIST EN 14484:2004

EU Data Protection Directive.30Annex B (informative)
Useful sources of advice.50B.1EU Security projects.50B.2CEN/ISSS.50B.3Non-CEN Standards.50B.4Selected web sites.51Annex C (informative)
Model declaration.52Bibliography.54SIST EN 14484:2004

Data may be collected in one country and stored in another, be processed in a third, and be accessiblefrom many countries or even globally. The key requirement is that all this processing should be carried out in afashion that is consistent with the:· the purposes and consents of the original data collection and, in particular;· all disclosures of personal health data should be to appropriate individuals or organisations withinthese purposes and consents.International health-related applications require health-related data to be transmitted from one nation to anotheracross national borders.
That is very evident in telemedicine or when data are electronically dispatched forexample in an email or as a data file to be added to an international database.
It also occurs, but less obviously,when a database in one country is viewed from an other for example over the Internet.
That application mayappear passive but the very act of viewing involves disclosure of that data and is deemed ‘processing’. Moreover itrequires a download that may be automatically placed in a cache and held there until 'emptied' - this also isprocessing and involves a particular security hazard.There is a wide range in the types of third country organisation that might be involved in receipt of personal healthdata from an EU Member State for example:· healthcare establishments such as hospitals;· pharmaceutical companies involved in research;· contractors remotely maintaining health care systems in EU hospitals;· companies holding educational data bases containing for example radiological images with diagnosesand case notes;· companies holding banks of medical records for patients from different countries.In all applications involving personal health data there can be a potential threat to the privacy of an individual. Thatthreat and its extent will depend on:· the level to which data is protected from unauthorised access in storage or transmission;· the number of persons who have authorised access;· the nature of the personal health data stored;· the level of difficulty in identifying an individual if access to the data is obtained;SIST EN 14484:2004

Some form of riskanalysis should be undertaken to ascertain the required level of security measures.In addition to the standards bodies CEN, CENELEC, ISO and IEC there are three major trans-national bodies thathave produced internationally authoritative documents relating to security and data protection:· the European Union (EU);· the Organisation for Economic Co-operation and Development (OECD);· the Council of Europe;· the United Nations (UN).The primary documents from these bodies are:· EU Data Protection Directive "on the protection of individuals with regard to the processing of personaldata and free movement of that data" [1];· OECD "Guidelines on the Protection of Privacy and Trans-border flows of Personal Data" [2];· OECD "Guidelines for the Security of Information Systems" [3];· Council of Europe "Convention for the Protection of individuals with regard to Automatic Processing ofPersonal Data" No. 108 [4];· "Council of Europe Recommendation R(97)5 on the Protection of Medical Data" [5];· UN General Assembly "Guidelines for the Regulation of Computerised Personal Data Files" [6].The means and extent of the protection afforded to personal health data varies from nation to nation [7].
In somecountries there is nation-wide privacy legislation, in others legislative provisions may be at a state level orequivalent. In a number of countries no legislation may exist although various codes of practice or equivalent willprobably be in place and/or ‘medical’ laws which lay down a duty on medical practitioners to safeguardconfidentiality.Although privacy legislation in different parts of the world may mention personal health data, frequently there is nolegislation specific to health except perhaps in relation to government agencies and/or medical research.The EU Directive on Data Protection (see text in annex A) aims to create uniform legislative data protectionprovisions throughout the EU. The Directive also applies to non-community countries of the European EconomicArea by virtue of the EEA Treaty Decision 83/1999 of 25 June 1999. The majority of countries of Central andEastern Europe and Cyprus which are applicants to become members of the EU, are also looking to introducelegislation in conformance with the Directive.The Directive makes it permissible for personal data to be passed across EU borders.
However, the transfer ofpersonal data from an EU country to a non-EU country is controlled by Articles 25 and 26.In essence, subject to specific 'derogations', Article 25 allows transfer of personal data to a third country only if thatthird country ensures an 'adequate level of protection'.The 'adequacy of protection' is to be assessed (Article 25.2) in the light of all the circumstances with 'particularconsideration' to be given to particular factors including:· the nature of the data;· the purpose and duration of the proposed processing operation(s);· the rules of law applying;· the professional rules and security measures which are
complied with;· the country concerned.In the health context personal health data can be extremely sensitive in nature and is recognised as such by theDirective. There is extensive guidance available both nationally and internationally on 'security measures' for theprotection of personal health data (see annex B).As noted above there is in many countries a mix of general and specific legal or quasi-legal requirements coveringpersonal health data protection plus professional codes covering ethical aspects including safeguardingSIST EN 14484:2004

The InternationalMedical Informatics Association is in the process of developing and accepting a code of ethics for healthinformation professionals [18].Article 26 of the Directive details the 'derogations' under which an EU Member State may permit transfer ofpersonal data to a third country without an adequate level of data protection.
The full list is in annex A.
Thederogations include where:· the data subject has given his unambiguous consent;· it is necessary to protect the data subject’s vital interests;· the “controller adduces adequate safeguards with respect to the privacy and fundamental rights andfreedoms of individuals”; “such safeguards may in particular result from appropriate contract clauses”.Under Article 29 of the EU Directive an EU Working Party, on the Protection of Individuals with regard toProcessing of Personal Data, was created.
Its findings provide important interpretations and views on theDirective.EN 14485,
Health informatics - Guidance for handling personal health data in international applications in thecontext of the EU data protection directive [9] provides guidance on the general measures that should be taken torender permissible transfer of personal health data form an
EU Member State or another country.These general measures comprise guidance for ensuring that such transfers are permissible under the Directive.Whilst it indicates the actions that a non-EU organisation should take to render such transfers permissible, thestandard does not make explicit the essential elements that such an organisation should include in its securitypolicy covering these types of international applications.This standard addresses these aspects and provides guidance on the policy which an organisation in a non-EUcountry should adopt to demonstrate compliance with the measures necessary to make permissible the transfer ofpersonal health data to it from an EU country in the context of the EU Directive.This standard is based on the premise that all organisations processing personal health data in internationalapplications should reflect all of their obligations under the EU Data Protection Directive in their security policies.
Itwould be of considerable benefit to data subjects, which for health data includes patients, if all such organisationshad a high level security policy addressing these matters which:· made clear the organisation's expectations of all its staff involved in the processing of personal healthdata in an international application (often expressed in contracts of employment);· was available to any data subject on request;· was part of the documentation which would assist in reassuring an EU Supervisory Authority of anorganisation's compliance with the Directive;· would help reassure other bodies with which the organisation was associated in the context of healthdata.Whereas the Directive renders it permissible for personal health data to be transferred to other EU Member States(strictly also EEA Member States), data controllers nevertheless have the obligation to ensure EU/EEAorganisations have implemented necessary requirements for processing.
A high level security organisation policystandard will assist EU controllers in:· specifying and assessing the adequacy of the data protection provisions of others with whom they aredealing;· demonstrating to others the adequacy of their own provisions.SIST EN 14484:2004

Article 26 details allowable derogations in the context ofthat prohibition.Those EU organisations seeking to engage with organisations in non-EEA countries in international applicationsinvolving personal health data, will at least need to assure themselves that the non-EU party:· is in compliance with any measures which will ensure adequacy of their data protection in the contextof the EU Directive (these go beyond solely technical security aspects); or· will ensure compliance with the terms of any derogations available.The High Level Security Policy which this standard addresses will assist:· EU organisations in laying down conditions on non-EEA parties to render permissible the transfer ofpersonal health data;· non-EU organisations in complying with the requirements of the Directive in the context of the transferof personal health data to them from an EEA body.SIST EN 14484:2004

Its purpose is to assist in the application of the EU Directive.The European Standard does not provide definitive legal advice but comprises guidance.
When applying theguidance to a particular application legal advice appropriate to that application should be sought.Whereas this guidance will be useful in the formulation of a high level policy for EU organisations, its scope isrestricted to organisations in third countries (see definitions).2 Normative referencesNot applicable.3 Terms and definitionsFor the purposes of this European Standard, the following terms and definitions apply. Where a term is defined inthe EU Data Protection Directive (Article 2) that definition is used for the purposes of this European Standard.
Incountries in which the EU Directive has not been implemented, other definitions for these terms may be in use andmay have a legal status and therefore care should be taken in utilising this standard in those circumstances.3.1identifiable personperson who can be identified, directly or indirectly, in particular by reference to an identification number or one ormore factors specific to his physical, physiological, mental, economic, cultural or social identity3.2compliant countrycountry whose legislation complies with the EU Data Protection Directive and is recognised as such by theEuropean Commission3.3controllernatural or legal person, public authority, agency or any other body which alone or jointly with others determines thepurposes and means of the processing of personal data; where the purposes and means of processing aredetermined by national or Community laws or regulations, the controller or the specific criteria for his nominationmay be designated by national or Community law3.4data subjectidentified or identifiable natural person, which is the subject of personal data3.5personal dataany information relating to an identified or identifiable natural personSIST EN 14484:2004

In the definition of a third party in 3.15 below, the processor is distinguished from “the persons who under the directauthority of the controller or processor, are authorised to process the data”. This implies that employees per se are notprocessors. This is the approach taken by some implementations of the Directive e.g. in the UK.3.10recipientnatural or legal person, public authority, agency or any other body to whom data are disclosed, whether a thirdparty or not; however, authorities which may receive data in the framework of a particular inquiry are not regardedas recipients3.11data subject's consentany freely given specific and informed indication of his wishes by which the data subject signifies his agreement topersonal data relating to him being processed3.12third countrycountry not bound by the legal requirements of the EU Data Protection Directive3.13third partyany natural or legal person, public authority, agency or any other body other than the data subject, the controller,the processor and the persons who, under the direct authority of the controller or the processor, are authorised toprocess the data3.14CommissionCommission of the European Communities unless obviously otherwise3.15high level security policyHigh Level Security Policy for organisations in third countries which process personal health data from EU MemberStates.4 Abbreviated termsThe following abbreviated terms are used:EEA European Economic Area;SIST EN 14484:2004

Its result is that Member States may not restrict or prohibitthe free flow of personal data between Member States for reasons of protection afforded by the Directive.5.3 Scope: electronic and non-electronic (Article 3)The Directive applies to the processing of personal data wholly or partly by automatic means AND to processingother than by automation.
It therefore applies to data on paper as well as in electronic form and the Directiverequires, inter alia, that appropriate security measures should be applied to these data also.5.4 Principles relating to data quality (Article 6)The controller shall ensure that personal data is:· processed fairly and lawfully;· collected for explicit and legitimate purposes and not further processed in a way incompatible with thosepurposes;· adequate, relevant and not excessive for the purpose;· accurate and, where necessary, kept up to date;· kept no longer than is necessary.5.5 Criteria for legitimacy (Article 7)Personal data may be processed only if one of a number of criteria is met.
These include that:· the data subject has unambiguously given his consent;· processing is necessary to protect the vital interest of the data subject;· processing is necessary for the performance of a contract to which the data subject is party.SIST EN 14484:2004

These include that:· the data subject has given explicit consent;· processing is necessary to protect the vital interests of the data subject.However the prohibition on processing personal health data does not apply “where processing of the data isrequired for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or themanagement of health-care services, and where those data are processed by a health professional subject undernational law or rules established by national competent bodies to the obligation of professional secrecy or byanother person also subject to an equivalent obligation of secrecy”.5.7 Information to be given to the data subject (Article 10)The controller must provide the data subject with specified information including:· the identity of the controller;· the purposes of the processing;· any further information which is necessary for processing such as:- the recipients of the data;- the existence of the right of access to, and the right to rectify, data concerning him.5.8 Right of access to data (Article 12)The controller must guarantee to the data subject the right:· to obtain, without constraints, at reasonable intervals and without excessive delay or expense:- confirmation as to whether data relating to him is being processed, and any other recipients;- communication to him of data undergoing processing and their source;· to rectify, erase or block processing of data which does not comply with provisions of the Directive e.g.is inaccurate.5.9 Right to object (Article 14)The data subject must have the right:· to object, on compelling legitimate grounds, to the processing of data a relating to him.
Where theobjection is justified the controller may no longer process those data;· to object to processing of personal data relating to him for the purpose of direct marketing and to beinformed before such data is first disclosed to any third party for such purposes.5.10 Security of processing (Article 17)The controller must:· implement appropriate technical and organisational measures to protect personal data in particularwhere the processing involves the transmission of data over a network. These measures shall haveSIST EN 14484:2004

is governed by a contract or legal act binding theprocessor to the controller stipulating in particular that the processor shall act only on instructions fromthe controller.
The contract must be in writing or equivalent form.5.11 Judicial remedies, liability and sanctions (Articles 22, 23 and 24)· every person shall have the right to a judicial remedy for any breach of the rights guaranteed to him;· any person who has suffered damage as a result of
unlawful processing or any act incompatible withthe Directive is entitled to receive compensation from the controller;· each Member State must lay down the sanctions to be imposed in case of infringements of theDirective.5.12 Supervisory Authorities (Articles 28 and 18)Each Member State must appoint an independent Supervisory Authority with powers to investigate, intervene andto engage in legal proceeding.
A controller must notify his Supervisory Authority before carrying out processing.Member States may exempt controllers from this requirement in certain circumstances e.g. if the controller appointsa personal Data Protection Official responsible for ensuring, in an independent manner, that the Directive’sprovisions are implemented.5.13 Working party on the protection of Individuals with regard to the Processing of PersonalData(Articles 29 and 30)The above Working Party was created through the Directive and its opinions provide significant interpretations.5.14 Transfer of personal data to Third CountriesArticles 25 and 26 deal with this aspect and are considered in detail in Section 6.6 Requirements for the transfer of personal data to third Countries.6.1 GeneralThe following is a précis of the requirements in the Directive.
For the full text see annex A.6.2 Principles (Article 25)Transfer of personal data from an EU Member State to a third country may take place only if the third countryensures an adequate level of protection.The adequacy of protection shall be assessed in the light of all the circumstances.
Particular consideration is to begiven to the nature of the data, the purpose of processing and the rules of the law, both general and sectoral, inforce in the third country and the professional rules and security measures compiled with in that country.The Commission is empowered to negotiate a remedy wherever a third country is judged not to ensure anadequate level of protection.Derogations including standard contract clauses (Article 26)Transfer of personal data is permissible under certain conditions (derogations) including where:· the data subject has given his consent unambiguously;· the transfer is necessary for the performance of a contract between the data subject and the controller;· the transfer is necessary in order to protect the vital interests of the data subject.SIST EN 14484:2004

Such safeguards may result from appropriate contract clauses. The Commission proposes to adoptstandard contractual clauses that offer sufficient contractual safeguards [10] where the recipient in the third countryis a processor (but not a controller).6.3 Ensuring transfers are permissibleNo transfer of personal health data may take place from an EU Member State to a non-EU country unlesspermitted by the Directive.
EN 14485, Health informatics - Guidance for handling personal health data ininternational applications in the context of the EU data protection directive [9], deals in detail with the options forensuring transfers are permissible and should be referred to as a companion to this standard.
This standard isbased on the premise that, by whatever means, transfers are permissible and deals with the security policy that thethird country recipient organisation should adopt to ensure and demonstrate compliance.
However, since theelements of that policy have a dependence on the manner by which transfers have been rendered permissible, abrief summary is given below but without the rationale and background of the companion standard [9].6.4 Grounds by which transfers to third countries are permissible6.4.1 GeneralAnnex C comprises a “Model Declaration of Grounds upon which Transfer of Personal Health Data is regarded asin compliance with the EU Data Protection Directive”, taken from the companion standard [9].
It provides a succinctsummary of the different grounds.6.4.2 Members of the EEAThese countries may be regarded as equivalent to EU Member States as far as this standard is concerned.Countries recognised as having adequate data protection provisionsThe Commission might find that a third country ensures an adequate level of protection by reason of its domesticlaw or of the international commitments it has entered into.
For example this has been found for Hungary andSwitzerland [11], [12].
Such countries can be regarded as equivalent to EEA countries and EU Member States asfar as this standard is concerned.6.4.3 Depersonalisation of dataThe EU Directive defines personal data as "any information relating to an identified or identifiable natural person”.An identifiable person is ”one who can be identified, directly or indirectly, in particular by reference to anidentification number or to one or more factors specific to his physical, physiological, mental, economic, cultural orsocial identity".A solution to problems of transferring personal health data to third countries is to render the data non-personal.This may often be referred to as rendering data 'anonymous'.
However the perception of anonymisation varies.
Inthe context of this standard "anonymisation" therefore means rendering data 'non-personal' in the context of the EUDirective's definition of "personal data".An "identifiable person" includes one who can be identified "indirectly" by reference to "one or more of the factorsspecific to him".
Clearly such factors comprise more than name and address.
A data subject may for example beidentifiable by a combination of any one or more of age; sex; race; occupation; postal/zip code; income group;physiological or mental state; family characteristics etc.
Additionally in the context of some health applications,images e.g. photographs, dental records, radiographs or traces such as EEGs may have details which, taken aloneor together with other data such as specialty and/or identity of health organisation, would render the data asperson-identifiable and thereby as personal data.Such combinations of data elements may render as personal, data that may otherwise have been considered aspurely statistical. Postal/Zip Codes provide a very effective way of locating an individual within a small group.Similarly this may also occur through small numbers e.g. the number of women having triplets could be extremelysmall in even a large geographic area.Rendering data non-personal thus requires attention to considerable detail. The Database Inference Problem isalways theoretically soluble given sufficient resources and access to other relevant information.
However,adequate anonymisation can frequently be achieved by withholding obviously identifying information and ensuringSIST EN 14484:2004

Clearly criteria based on theconcept of excessive effort in relation to the necessary security and sensitivity of the data need to be applied tosuch statistics.
In this context Paragraph 26 of the EU Directive's preamble states that:"Whereas the principles of protection must apply to any information concerning an identified or identifia
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

CEN
EN ISO 17117-1:2025(Main)
Health informatics - Terminological resources - Part 1: Characteristics (ISO 17117-1:2025)
SIST EN ISO 17117-1:2026

This document defines universal and specialized characteristics of health terminological resources that make them fit for the purposes required of various applications. It covers only terminological resources that are primarily designed to be used for clinical concept representation or to those parts of other terminological resources designed to be used for clinical concept representation.
This document helps users to assess whether a terminology has the characteristics or provides the functions that will support their specified requirements. In order to do that, this document focuses on defining characteristics and functions of terminological resources in healthcare that can be used to identify different types of terminological resources for categorization purposes.
NOTE 1        Categorization of healthcare terminological systems according to the name of the system might not be helpful and has caused confusion in the past.
The following aspects are not covered in this document:
—     evaluations of terminological resources;
—     health service requirements for terminological resources and evaluation criteria based on the characteristics and functions;
—     the nature and quality of mappings between different terminologies;
NOTE 2        It is unlikely that a single terminology will meet all the terminology requirements of a healthcare organization: some terminology providers produce mappings to administrative or classification systems such as the International Classification of Diseases (ICD). The presence of such maps would be a consideration in the evaluation of the terminology.
—     the nature and quality of mappings between different versions of the same terminology;
NOTE 3        To support data migration and historical retrieval, terminology providers can provide maps between versions of their terminology. The presence of such maps would be a consideration in the evaluation of the terminology.
—     terminology server requirements and techniques and tools for terminology developers;
—     characteristics for computational biology terminology.

  • Draft
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEEE 11073-10103:2025(Main)
Health informatics - Device interoperability - Part 10103: Nomenclature, implantable device, cardiac (ISO/IEEE 11073-10103:2025)
SIST EN ISO/IEEE 11073-10103:2025

This document extends the base nomenclature provided in ISO/IEEE 11073-10101:2020  to support terminology for implantable cardiac devices. Devices within the scope of this nomenclature are implantable devices such as pacemakers, defibrillators, devices for cardiac resynchronization therapy, and implantable cardiac monitors. This nomenclature defines the terms necessary to convey a clinically relevant summary of the information obtained during a device interrogation. The nomenclature extensions may be used in conjunction with other IEEE 11073 standard components (e.g., ISO/IEEE 11073-10201 [B2] ) or with other standards, such as Health Level Seven International (HL7).

  • Standard
    145 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEEE 11073-10425:2025(Main)
Health informatics - Device interoperability - Part 10425: Personal Health Device Communication - Device Specialization- Continuous Glucose Monitor (CGM) (ISO/IEEE 11073-10425:2024)
SIST EN ISO/IEEE 11073-10425:2025

This standard establishes a normative definition of communication between personal health continuous glucose monitor (CGM) devices (agents) and managers (e.g., cell phones, personal computers, personal health appliances, set top boxes) in a manner that enables plug-and-play interoperability. It leverages work done in other ISO/IEEE 11073 standards including existing terminology, information profiles, application profile standards, and transport standards. It specifies the use of specific term codes, formats, and behaviors in telehealth environments, restricting optionality in base frameworks in favor of interoperability. This standard defines a common core of communication functionality of CGM devices. In this context, CGM refers to the measurement of the level of glucose in the body on a regular (typically 5 minute) basis through a sensor continuously attached to the person.

  • Standard
    85 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEEE 11073-10472:2025(Main)
Health informatics - Device interoperability - Part 10472: Personal Health Device Communication - Device Specialization - Medication Monitor (ISO/IEEE 11073-10472:2024)
SIST EN ISO/IEEE 11073-10472:2025

Within the context of the ISO/IEEE 11073 family of standards for device communication, this standard establishes a normative definition of the communication between medication monitoring devices and managers (e.g., cell phones, personal computers, personal health appliances, set top boxes) in a manner that enables plug-and-play interoperability. It leverages appropriate portions of existing standards, including ISO/IEEE 11073 terminology, information models and application profile. It specifies the use of specific term codes, formats, and behaviors in telehealth environments restricting ambiguity in base frameworks in favor of interoperability. This standard defines a common core of communication functionality for medication monitors. In this context, medication monitors are defined as devices that have the ability to determine and communicate (to a manager) measures of a user’s adherence to a medication regime.

  • Standard
    82 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEEE 11073-10701:2025(Main)
Health informatics - Device interoperability - Part 10701: Point-of-care medical device communication - Metric provisioning by participants in a Service-oriented Device Connectivity (SDC) system (ISO/IEEE 11073-10701:2024)
SIST EN ISO/IEEE 11073-10701:2025

This standard specifies a set of Participant Key Purposes (PKPs) pertaining to metric data exchange for the Service-oriented Device Connectivity (SDC) series of standards. PKPs are role-based sets of requirements for products in order to support safe, effective, and secure interoperability in medical IT networks at point-of-care environments such as the intensive care unit (ICU), operating room (OR) or other acute care settings. This standard specifies both product development process and technical requirements.

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEEE 11073-10471:2025(Main)
Health informatics - Device interoperability - Part 10471: Personal Health Device Communication - Device Specialization - Independent Living Activity Hub (ISO/IEEE 11073-10471:2024)
SIST EN ISO/IEEE 11073-10471:2025

Within the context of the ISO/IEEE 11073 family of standards for device communication, this standard establishes a normative definition of the communication between independent living activity hubs and managers (e.g., cell phones, personal computers, personal health appliances, and set top boxes) in a manner that enables plug-and-play interoperability. It leverages appropriate portions of existing standards, including ISO/IEEE 11073 terminology and information models. It specifies the use of specific term codes, formats, and behaviors in telehealth environments restricting ambiguity in base frameworks in favor of interoperability. This standard defines a common core of communication functionality for independent living activity hubs. In this context, independent living activity hubs are defined as devices that communicate with simple situation monitors (binary sensors), normalize information received from the simple environmental monitors, and provide this normalized information to one or more managers. This information can be examined, for example, to determine when a person’s activities/behaviors have deviated significantly from what is normal for them such that relevant parties can be notified. Independent living activity hubs will normalize information from the following simple situation monitors (binary sensors) for the initial release of the proposed standard: fall sensor, motion sensor, door sensor, bed/chair occupancy sensor, light switch sensor, smoke sensor, (ambient) temperature threshold sensor, personal emergency response system (PERS), and enuresis sensor (bed-wetting).

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEEE 11073-10700:2025(Main)
Health informatics - Device interoperability - Part 10700: Point‐of‐care medical device communication - Standard for base requirements for participants in a Service‐oriented Device Connectivity (SDC) system (ISO/IEEE 11073-10700:2024)
SIST EN ISO 11073-10700:2025

This standard specifies the base set of Participant Key Purposes (PKPs) for the Service-oriented Device Connectivity (SDC) series of standards. PKPs are role-based sets of requirements for products in order to support safe, effective, and secure interoperability in medical IT networks at point-of-care environments such as the intensive care unit (ICU), operating room (OR) or other acute care settings. This standard specifies both product development process and technical requirements.

  • Standard
    59 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 27269:2025(Main)
Health informatics - International patient summary (ISO 27269:2025)
SIST EN ISO 27269:2025

This document defines the core data set for a concise international patient summary (IPS), which supports continuity of care for a person and assists with coordination of their care.
This document provides an abstract definition of a patient summary from which derived models are implementable.
This document does not cover the workflow processes of data entry, data collection, data summarization, subsequent data presentation, assimilation, or aggregation. Furthermore, this document does not cover the summarization act itself, i.e. the intelligence, skills and competences, that results in the data summarization workflow. It is not an implementation guide that is concerned with the various technical layers beneath the application layer. Representation by various coding schemes, additional structures and terminologies are not part of this document.

  • Standard
    94 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 10781:2025(Main)
Health Informatics - HL7 Electronic Health Records-System Functional Model, Release 2.1 (EHR FM) (ISO 10781:2023)
SIST EN ISO 10781:2025

This document provides a reference list of functions that may be present in an Electronic Health Record System (EHR-S). The function list is described from a user perspective with the intent to enable consistent expression of system functionality. This EHR-S Functional Model, through the creation of Functional Profiles for care settings and realms, enables a standardized description and common understanding of functions sought or available in a given setting (e.g. intensive care, cardiology, office practice in one country or primary care in another country).

  • Standard
    79 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 17523:2025(Main)
Health informatics - Requirements for electronic prescriptions (ISO 17523:2025)
SIST EN ISO 17523:2025

The scope of this document is constrained to the content of the electronic prescription (ePrescription) itself, the digital document which is issued by a prescribing healthcare professional and received by a dispensing healthcare professional. The prescribed medicinal product is to be dispensed through an authorized healthcare professional with the aim of being administered to a human patient. The ePrescription in the administrative workflow of reimbursement is not covered in this document.
This document specifies the requirements that apply to ePrescriptions. It describes generic principles that are considered important for all ePrescriptions.
This document is applicable to ePrescriptions of medicinal products for human use. Although other kinds of products (e.g. medical devices, wound care products) can be ordered by means of an ePrescription, the requirements in this document are aimed at medicinal products that have a market authorization and at pharmaceutical preparations which are compounded in a pharmacy.
This document does not limit the scope to any setting (community, institutional) and leaves it to the national bodies to decide on this matter.
This document specifies a list of data elements that can be considered as essential for ePrescriptions, depending on jurisdiction or clinical setting (primary healthcare, hospital, etc.). Ensuring the authenticity of these data elements is in scope and will have impact on the requirements of information systems.
Other messages, roles and scenarios (e.g. validation of a prescription, administration, medication charts, EHR of the patient, reimbursement of care and dispensed products) are not covered in this document, because they are country-specific or region-specific, due to differences in culture and in legislation of healthcare. However, requirements and content of ePrescriptions within the context of jurisdictions have a relationship with these scenarios. This document also does not cover the way in which ePrescriptions are made available or exchanged, and the process of prescribing itself.
The logistic process of prescribing itself is not part of the scope. A prescription can either be sent (pushed) to a dispenser or either be retrieved (pulled) at the dispenser. However, the requirement for the prescription is described, that it will be able to function in both environments.

  • Standard
    32 pages
    English language
    sale 10% off
    e-Library read for
    1 day