iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/TS 17975:2022

(Main)

Health informatics — Principles and data requirements for consent in the collection, use or disclosure of personal health information

Health informatics — Principles and data requirements for consent in the collection, use or disclosure of personal health information

This document defines the set of frameworks of consent for the collection, use and/or disclosure of personal information by healthcare practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an informational consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of healthcare services and the communication of electronic health records across organizational and jurisdictional boundaries. This document is applicable to Personal Health Information (PHI). Good practice requirements are specified for each framework of informational consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified. The document is intended to be used to inform: — discussion of national or jurisdictional informational consent policies; — ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems; — how to judge the adequacy of the information provided when seeking informational consent; — design of both paper and electronic informational consent declaration forms; — design of those portions of electronic privacy policy services and security services that regulate access to personal health data; — working practices of organizations and personnel who obtain or comply with consent for processing personal health information. The document does not: — address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from informational consent. — specify what consent framework is applicable to a data classification or data purpose as this can vary according to law or policy, although an examples of implementation profile is provided in Annex B; — specify the data format used when consent status is communicated. The focus is on the information characteristics of consent, and not the technology or medium in which the characteristics are instantiated; — specify how individuals giving Informed Consent come to be informed of the responsibilities, obligations and consequences related to granting consent; — specify requirements on how individuals are informed of the specifics of the data, data sharing or data processing concerned; — specify requirements on how consent itself or the specific activities of the consent process are recorded. Specific requirements on recording consent in EHR systems are given in ISO/TS 14441:2013, 5.3.2; — specify any information security requirements, e.g. the use of encryption or specific forms of user authentication (see e.g. ISO 27799).

Informatique de santé — Principes et exigences des données pour le consentement dans la collecte, l'utilisation ou la divulgation d'informations de santé personnelles

General Information

Status
Published
Publication Date
01-Nov-2022
ICS
35.240.80 - IT applications in health care technology
Technical Committee
ISO/TC 215 - Health informatics
Drafting Committee
ISO/TC 215/WG 4 - Security, Safety and Privacy
Current Stage
9020 - International Standard under periodical review
Start Date
15-Oct-2025
Completion Date
15-Oct-2025
Ref Project

Relations

Consolidated By
ISO 15708-1:2024 - Non-destructive testing — Radiation methods for computed tomography — Part 1: Vocabulary
Effective Date
22-Jul-2023
Revises
ISO/TS 17975:2015 - Health informatics — Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
Effective Date
23-Apr-2020
ISO/TS 17975:2022 - Health informatics — Principles and data requirements for consent in the collection, use or disclosure of personal health information Released:2. 11. 2022ISO/TS 17975:2022 - Health informatics — Principles and data requirements for consent in the collection, use or disclosure of personal health information Released:2. 11. 2022
PreviousNext
Technical specification
ISO/TS 17975:2022 - Health informatics — Principles and data requirements for consent in the collection, use or disclosure of personal health information Released:2. 11. 2022
English language
33 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


TECHNICAL ISO/TS
SPECIFICATION 17975
Second edition
2022-11
Health informatics — Principles and
data requirements for consent in
the collection, use or disclosure of
personal health information
Informatique de santé — Principes et exigences des données pour
le consentement dans la collecte, l'utilisation ou la divulgation
d'informations de santé personnelles
Reference number
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Abbreviated terms . 6
5 Consent requirements.6
5.1 General . 6
5.2 Informational consent . . 7
5.3 Consent to treatment versus informational consent . 7
5.4 How consent relates to privacy, duty of confidence and to authorization . 7
5.5 Relationship of consent to OECD guidelines . 8
5.6 Relationship of consent to legislation . 8
5.7 Expectations and rights of the individual . 9
5.8 Consent directives . 9
5.9 Consent is related strongly to purpose of use . 9
5.10 Consent to collect and use versus consent to disclose . 10
5.11 Consent is applicable to specified data . 11
5.12 Consent related to disclosure . 11
5.13 Exceptional access . 11
5.14 Challenges associated with obtaining consent .12
6 Consent frameworks .12
6.1 Giving consent . .12
6.2 Types of consent sta . 14
6.3 Detailed requirements .15
6.3.1 Express or expressed (informed) consent . 15
6.3.2 Implied (informed) consent . . 17
6.3.3 No consent sought . 18
6.3.4 Assumed consent (deemed consent) . 19
7 Mechanisms and process: denial, opt-in and opt-out, and override .20
7.1 Express or expressed (and informed) denial . 20
7.2 Opt-in and opt-out . 21
7.2.1 General . 21
7.2.2 Opt-in . 21
7.2.3 Opt-out . 21
7.3 Override . 21
8 Minimum data requirements .21
Annex A (informative) Consent framework diagrams .23
Annex B (informative) Jurisdictional implementation examples .29
Bibliography .33
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
This second edition cancels and replaces the first edition (ISO/TS 17975:2015), which has been
technically revised.
The main changes are as follows:
— editorial revision;
— Clause 2 and the bibliography have been updated.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
Introduction
This document defines several frameworks for informational consent in healthcare. These are
frequently used by organizations who wish to obtain agreement from individuals in order to process
their personal health information.
NOTE Various terms are used to refer to the recipients of healthcare services. The terms patients, subjects
of care, data subjects, persons or clients are all used, depending upon the relationship of the individual with the
data collector and the circumstances or setting of the transaction.
Requirements arising from good practices are specified for each framework. Adherence to these
requirements will ensure the individual, as well as the parties who process personal health
information, that consent to do so has been properly obtained and correctly specified. This document
covers situations involving informational consent in routine healthcare service delivery. There can be
situations involving new and possibly difficult circumstances which are not covered in detail, but even
in these situations the principles herein can still form the basis for potential resolution.
In order to align with internationally accepted privacy principles, this document is based on two
international agreements. The first is the set of privacy principles specified by the Organization for
Economic Co-operation and Development and known as the OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data. These principles form the basis for legislation in many
jurisdictions, and for policies addressing privacy and data protection. International policy convergence
around these privacy principles has continued since they were first devised. The principles require the
consent of the individual for data processing activities.
The second international agreement used is the Declaration of Helsinki, which is used to define essential
characteristics of best practices in informational consent management. The Declaration of Helsinki is a
set of ethical principles regarding human experimentation. It was developed for the medical community
by the World Medical Association (WMA) and is widely regarded as a cornerstone document of human
research ethics. While this agreement applies directly to research on human subjects, it is intimately
related to data processing, and can therefore be readily applied to the detailed requirements for
informational consent management. In the context of the Declaration of Helsinki, the characteristics
of informational consent were defined and developed over a number of revisions in order to remain
relevant to contemporary society.
This document specifies that a record be retained of the set of agreements and constraints granted
via an informational consent process, and that the results of that process be made available to other
parties to whom the corresponding personal health information is subsequently disclosed (see 5.10).
It also defines a list of essential characteristics that the informational consent record should possess.
These characteristics can be represented within information handling policies and used as part of an
automated negotiation between healthcare information systems to regulate processing and exchange
of personal health information.
Interoperability standards and their progressive adoption by e-health programmes expand the
capacity for information systems to capture, use and exchange clinical data. For this to occur on a wide
scale, the majority of decisions regarding the processing of data will need to take place computationally
and automatically. This will in turn require privacy policies to be defined in ways that
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEEE 11073-10103:2025(Main)
Health informatics — Device interoperability — Part 10103: Nomenclature, implantable device, cardiac

This document extends the base nomenclature provided in ISO/IEEE 11073-10101:2020 to support terminology for implantable cardiac devices. Devices within the scope of this nomenclature are implantable devices such as pacemakers, defibrillators, devices for cardiac resynchronization therapy, and implantable cardiac monitors. This nomenclature defines the terms necessary to convey a clinically relevant summary of the information obtained during a device interrogation. The nomenclature extensions may be used in conjunction with other IEEE 11073 standard components (e.g., ISO/IEEE 11073-10201 [B2] ) or with other standards, such as Health Level Seven International (HL7).

  • Standard
    128 pages
    English language
    sale 15% off
  • Standard
    146 pages
    French language
    sale 15% off
ISO
IEC/TS 81001-2-2:2025(Main)
Health software and health IT systems safety, effectiveness and security — Part 2-2: Guidance for the implementation, disclosure and communication of security needs, risks and controls

This document presents an informative set of common, high-level security-related capabilities and additional considerations to be used across the life cycle of health software and health IT systems, for the information exchange between the health software manufacturers (including medical device manufacturers), healthcare delivery organizations (HDOs) and other stakeholders. It is applicable to health software running on any platform and in any environment such as cloud, on premise or hybrid. While important security topics, the following are outside the scope of this document: a) the security policies of the HDO, b) the product and services security policies of the manufacturer, c) determinations of risk tolerance by the HDO or manufacturer, and d) clinical studies where there is a need to secure personal data. As security risks can be caused by any product on health IT systems and health IT Infrastructure, considerations in this document can be applied for other products that are not health software. IEC TS 81001-2-2:2025 withdraws and replaces: – IEC TR 80001-2-2, Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the communication of medical device security needs, risks and controls – IEC TR 80001-2-8, Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 This document includes the following significant changes: a) Combines and updates the contents of IEC TR 80001-2-2 and IEC TR 80001-2-8; b) Extends the scope to health software instead to only medical device software; c) Aligns contents and definitions to ISO 81001-1:2021 and the updated IEC 80001-1; d) Removed the Configuration of Security Features (CNFS) capability, as any configurable security capability shall be clearly communicated. e) Provide security control mappings to several new standards, e.g. IEC TR 60601-4-5, IEC 62443-4-2, ISO/IEEE 11073-40102 and the recent versions of previous standards, e.g. ISO/IEC 27002 and NIST 800-53 version 5.

  • Technical specification
    96 pages
    English language
    sale 15% off
ISO
ISO 27269:2025(Main)
Health informatics — International patient summary

This document defines the core data set for a concise international patient summary (IPS), which supports continuity of care for a person and assists with coordination of their care. This document provides an abstract definition of a patient summary from which derived models are implementable. This document does not cover the workflow processes of data entry, data collection, data summarization, subsequent data presentation, assimilation, or aggregation. Furthermore, this document does not cover the summarization act itself, i.e. the intelligence, skills and competences, that results in the data summarization workflow. It is not an implementation guide that is concerned with the various technical layers beneath the application layer. Representation by various coding schemes, additional structures and terminologies are not part of this document.

  • Standard
    76 pages
    English language
    sale 15% off
  • Standard
    83 pages
    French language
    sale 15% off
ISO
ISO 17523:2025(Main)
Health informatics — Requirements for electronic prescriptions

The scope of this document is constrained to the content of the electronic prescription (ePrescription) itself, the digital document which is issued by a prescribing healthcare professional and received by a dispensing healthcare professional. The prescribed medicinal product is to be dispensed through an authorized healthcare professional with the aim of being administered to a human patient. The ePrescription in the administrative workflow of reimbursement is not covered in this document. This document specifies the requirements that apply to ePrescriptions. It describes generic principles that are considered important for all ePrescriptions. This document is applicable to ePrescriptions of medicinal products for human use. Although other kinds of products (e.g. medical devices, wound care products) can be ordered by means of an ePrescription, the requirements in this document are aimed at medicinal products that have a market authorization and at pharmaceutical preparations which are compounded in a pharmacy. This document does not limit the scope to any setting (community, institutional) and leaves it to the national bodies to decide on this matter. This document specifies a list of data elements that can be considered as essential for ePrescriptions, depending on jurisdiction or clinical setting (primary healthcare, hospital, etc.). Ensuring the authenticity of these data elements is in scope and will have impact on the requirements of information systems. Other messages, roles and scenarios (e.g. validation of a prescription, administration, medication charts, EHR of the patient, reimbursement of care and dispensed products) are not covered in this document, because they are country-specific or region-specific, due to differences in culture and in legislation of healthcare. However, requirements and content of ePrescriptions within the context of jurisdictions have a relationship with these scenarios. This document also does not cover the way in which ePrescriptions are made available or exchanged, and the process of prescribing itself. The logistic process of prescribing itself is not part of the scope. A prescription can either be sent (pushed) to a dispenser or either be retrieved (pulled) at the dispenser. However, the requirement for the prescription is described, that it will be able to function in both environments.

  • Standard
    24 pages
    English language
    sale 15% off
  • Standard
    27 pages
    French language
    sale 15% off
ISO
ISO/TS 5615:2025(Main)
Health informatics — Accelerating safe, effective and secure remote connected care and mobile health through standards-based interoperability solutions addressing gaps revealed by pandemics

This document reviews the structural changes that have been precipitated by the COVID-19 pandemic in Remote Connected Care and Mobile Health (RCC-MH). The impact of the COVID-19 pandemic on care settings such as home and community care, acute care and outpatient care are reviewed discussing how well these healthcare environments were prepared to address the encountered connectivity challenges from a standards point of view. The current standards landscape is reviewed and gaps are identified leading to recommendations for future standards work.

  • Technical specification
    92 pages
    English language
    sale 15% off
ISO
ISO 16843-2:2025(Main)
Health informatics — Categorial structures for representation of acupuncture — Part 2: Needling

This document specifies categorial structures within the subject field of acupuncture needling (specialized for using filiform needles) by defining a set of domain constraints. This document describes a concept system detailing domain constraints of sanctioned characteristics, each composed of a semantic link and an applicable characterizing category.

  • Standard
    8 pages
    English language
    sale 15% off
ISO
ISO/PAS 24305:2025(Main)
Health informatics — Guidelines for implementation of HL7 FHIR based on ISO 13940:2015, ISO 13606-1:2019 and ISO 13606-3:2019

This document provides guidance on how four complementary international standards can be used in combination by developers of health ICT systems and infrastructures. These standards, three published by CEN and ISO and one by HL7, are — ISO 13940:2015, — ISO 13606-1:2019, — ISO 13606-3:2019, and — HL7 Fast Health Interoperability Resources (FHIR) Release 4. This document defines mappings between these standards: between ISO 13940 and HL7 FHIR in both directions, between ISO 13606 and HL7 FHIR in both directions, it proposes the content of an HL7 FHIR profile corresponding to the ISO 13606-1:2019 “COMPOSITION” class. It also provides guidance and worked examples of the mapping between ISO 13606-3 Reference Archetypes corresponding to ISO 13940 and HL7 FHIR. This document also summarizes the extent to which the source concept is broader than or narrower than the best fit target concept. It also highlights mapping issues that adopters will need to be mindful of, where the representation capability of the standards differs.

  • Technical specification
    225 pages
    English language
    sale 15% off
ISO
ISO/TS 6226:2025(Main)
Health informatics — Reference architecture for syndromic surveillance systems for infectious diseases

This document specifies a reference architecture for event-based syndromic surveillance systems for infectious diseases. The system reference architecture addresses architectural components including concepts, data sources, and outputs of syndromic surveillance system. From the perspective of the diagnostic process,[ REF Reference_ref_11 \r \h 11 08D0C9EA79F9BACE118C8200AA004BA90B0200000008000000110000005200650066006500720065006E00630065005F007200650066005F00310031000000 ] this document covers the processes from the symptom-onset stage to the health-behaviour stage, which is prior to the healthcare-encounter stage. Non-infectious health hazards, such as natural disasters, human-induced emergencies and chronic diseases, and their associated surveillance systems are beyond the scope of this document.

  • Technical specification
    11 pages
    English language
    sale 15% off
ISO
ISO 21564:2025(Main)
Health informatics — Terminology resource map quality measures and requirements (MapQual)

This document provides quality requirements for producing a quality map between terminological systems. This document establishes measures which can be used to assess the quality and utility of a map between terminological resources. These measures can be used to determine the types and conformance levels of a map and their impact on common use cases in healthcare.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/TS 6268-2:2025(Main)
Health informatics — Cybersecurity framework for telehealth environments — Part 2: Cybersecurity reference model of telehealth

This document provides a telehealth cybersecurity reference model of the overall security framework for systems and services applied to telehealth. This document contains a general description of: — factors of telehealth cybersecurity threats; — relationships between security risks and safety risks in telehealth services; — methodologies for defining security levels in telehealth services; — a cybersecurity reference model of telehealth services. Defining the specific type of telehealth services is not covered in this document.

  • Technical specification
    12 pages
    English language
    sale 15% off