ISO/TS 17975:2015
(Main)Health informatics — Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
Health informatics — Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
ISO/TS 17975:2015 defines the set of frameworks of consent for the Collection, Use and/or Disclosure of personal information by health care practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an Informational Consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of health care services and the communication of electronic health records across organizational and jurisdictional boundaries. The scope of application of this Technical Specification is limited to Personal Health Information (PHI) as defined in ISO 27799, "information about an identifiable person that relates to the physical or mental health of the individual, or to provision of health services to the individual. This information might include: - information about the registration of the individual for the provision of health services; - information about payments or eligibility for health care in respect to the individual; - a number, symbol or particular code assigned to an individual to uniquely identify the individual for health purposes; - any information about the individual that is collected in the course of the provision of health services to the individual; - information derived from the testing or examination of a body part or bodily substance; - identification of a person, e.g. a health professional, as a provider of healthcare to the individual." Good practice requirements are specified for each framework of Informational Consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified. ISO/TS 17975:2015 is intended to be used to inform: - discussion of national or jurisdictional Informational Consent policies; - ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems; - how to judge the adequacy of the information provided when seeking Informational Consent; - design of both paper and electronic Informational Consent declaration forms; - design of those portions of electronic privacy policy services and security services that regulate access to personal health data; - working practices of organizations and personnel who obtain or comply with consent for processing personal health information. ISO/TS 17975:2015 does not: - address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from Informational Consent. Note that as Consent to Treatment and Care are outside the scope of this Technical Specification, the phrase "informational consent" is hereafter supplanted by the shorter "consent". In every case, it is Informational Consent that is intended; - specify any jurisdiction's legal requirements or regulations relating to consent. The focus is on frameworks, not on jurisdictional legislation or its adequacy in any given jurisdiction. While care has been taken to design the frameworks so that they do not conflict with the legislation in most jurisdictions, they might challenge some existing practices. This Technical Specification uses an approach that allows organizations or jurisdictions to select a subset of those frameworks which best fit their law culture and approach to data sharing; - specify what consent framework is to be applied to a data classification or data purpose as this may vary according to law or policy, although some examples of implementation profiles are provided in an informative Annex; - determine the legal adequacy of the informati
Informatique de santé — Principes et exigences des données pour le consentement dans la collecte, l'utilisation ou la divulagation d'informations de santé personnelles
General Information
Relations
Standards Content (Sample)
TECHNICAL ISO/TS
SPECIFICATION 17975
First edition
2015-09-15
Health informatics — Principles and
data requirements for consent in
the Collection, Use or Disclosure of
personal health information
Informatique de santé — Principes et exigences des données pour
le consentement dans la collecte, l’utilisation ou la divulagation
d’informations de santé personnelles
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 7
5 Consent requirements . 7
5.1 General . 7
5.2 What is Informational Consent? . 8
5.3 Consent to Treatment versus Informational Consent . 8
5.4 How consent relates to privacy, duty of confidence and to Authorization . 8
5.5 Relationship of consent to OECD Guidelines . 9
5.6 Relationship of consent to legislation . 9
5.7 Expectations and rights of the individual .10
5.8 Consent Directives .10
5.9 Consent is related strongly to Purpose of Use .10
5.10 Consent to Collect and Use versus Consent to Disclose .11
5.11 Consent is applicable to specified data .12
5.12 Consent related to Disclosure .12
5.13 Exceptional access .12
5.14 Challenges associated with obtaining consent .13
6 Consent frameworks .13
6.1 Giving consent meaning .13
6.2 Types of consent .15
6.3 Detailed requirements .16
6.3.1 Express or Expressed (informed) Consent .16
6.3.2 Implied (Informed) Consent .18
6.3.3 No Consent Sought .19
6.3.4 Assumed Consent (Deemed Consent) .20
7 Mechanisms and process: Denial, Opt-in and Opt-out, and Override .21
7.1 Express or Expressed (and Informed) Denial .21
7.2 Opt-in and Opt-out .22
7.2.1 Opt-in .22
7.2.2 Opt-out.22
7.3 Override .22
8 Minimum data requirements .22
Annex A (informative) Consent framework diagrams .24
Annex B (informative) Jurisdictional implementation examples .30
Bibliography .34
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 215, Health informatics.
iv © ISO 2015 – All rights reserved
Introduction
This Technical Specification (TS) defines several frameworks for Informational Consent in healthcare
(i.e. Consent to Collect, Use or Disclose personal health information). These are frequently used by
1)
organizations who wish to obtain agreement from individuals in order to process their personal health
information. Requirements arising from good practices are specified for each framework. Adherence
to these requirements will ensure the individual, as well as the parties who process personal health
information, that consent to do so has been properly obtained and correctly specified. This Technical
Specification covers situations involving Informational Consent in routine healthcare service delivery.
There may be situations involving new and possibly difficult circumstances which are not covered in
detail, but even in these situations the principles herein can still form the basis for potential resolution.
As described in 5.6, none of the frameworks described are legally mandated, and it is important to
note that a jurisdiction’s laws might align with one, some or even none of the frameworks described.
While this Technical Specification seeks to describe what are commonly accepted as the requirements
for a given framework, a jurisdiction’s legal requirements may supersede the requirements described
herein, and so might not permit the requirements as described to be applied absolutely.
In order to align with internationally accepted privacy principles, this Technical Specification is based
on two international agreements. The first is the set of privacy principles specified by the Organization
for Economic Co-operation and Development and known as the OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data. These principles form the basis for legislation in many
jurisdictions, and for policies addressing privacy and data protection. International policy convergence
around these privacy principles has continued since they were first devised. The principles require the
consent of the individual for data processing activities.
The second international agreement used is the Declaration of Helsinki, which is used to define essential
characteristics of best practices in Informational Consent management. The Declaration is a set of
ethical principles regarding human experimentation. It was developed for the medical community by
the World Medical Association (WMA) and is widely regarded as a cornerstone document of human
research ethics. While this agreement applies directly to research on human subjects, it is intimately
related to data processing, and can therefore be readily applied to the detailed requirements for
Informational Consent management. It is important to note that in the context of the Declaration of
Helsinki, the characteristics of Informational Consent were defined and developed over a number of
revisions in order to remain relevant to contemporary society.
This Technical Specification specifies that a record be retained of the set of agreements and constraints
granted via an Informational Consent process, and that the results of that process be made available to
other parties to whom the corresponding personal health information is subsequently disclosed (see
5.10). It also defines a list of essential characteristics that the Informational Consent record should
possess. These characteristics can be represented within information handling policies and used as
part of an automated negotiation between healthcare information systems to regulate processing and
exchange of personal health information.
Interoperability standards and their progressive adoption by e-health programmes expand the
capacity for information systems to capture, use and exchange clinical data. For this to occur on a wide
scale, the majority of decisions regarding the processing of data will need to take place computationally
and automatically. This will in turn require privacy policies to be defined in ways that are themselves
interoperable, so that interactions between heterogeneous systems and services are consistent from a
security perspective and supportive of policy (bridging) decisions regarding the processing of personal
health information.
A list of defined essential characteristics make up the record of the agreements granted via an
Informational Consent process so as to be made available
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.