Health informatics — Guidance on health information privacy education in healthcare organizations

ISO/TR 18638:2017 specifies the essential educational components recommended to establish and deliver a privacy education program to support information privacy protection in healthcare organizations. The primary users of this document are those responsible for planning, establishing and delivering healthcare information privacy education to a healthcare organization. ISO/TR 18638:2017 provides the components of privacy education within the context of roles and job responsibilities. It is the responsibility of the organization to define and apply privacy protection policies and procedures and, in turn, ensure that all staff in the healthcare organization understands their privacy protection responsibilities. The scope of ISO/TR 18638:2017 covers: a) the concept of information privacy in healthcare; b) the challenges of protecting information practices in the healthcare organization; c) the components of a healthcare information privacy education program; d) basic health information privacy educational content.

Informatique de santé — Composantes éducatives destinées à garantir la confidentialité des informations relatives à la santé

General Information

Status
Published
Publication Date
31-May-2017
Current Stage
6060 - International Standard published
Due Date
03-Jan-2017
Completion Date
01-Jun-2017
Ref Project

Relations

Buy Standard

Technical report
ISO/TR 18638:2017 - Health informatics -- Guidance on health information privacy education in healthcare organizations
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/TR
REPORT 18638
First edition
2017-06
Health informatics — Guidance on
health information privacy education
in healthcare organizations
Informatique de santé — Composantes éducatives destinées à
garantir la confidentialité des informations relatives à la santé
Reference number
ISO/TR 18638:2017(E)
©
ISO 2017

---------------------- Page: 1 ----------------------
ISO/TR 18638:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 18638:2017(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 7
5 Understanding information privacy in healthcare . 7
5.1 General concept . 7
5.2 Information privacy in healthcare. 8
5.2.1 Personal health information and privacy . 8
5.2.2 Patient’s rights on personal health information privacy . . 8
5.3 Privacy concerns . 9
5.4 Organization’s privacy protection program . 9
5.4.1 Policies and practices to protect health information . 9
5.4.2 Roles of workforce in protecting information privacy .10
5.4.3 Workforce education in protecting health information privacy .11
5.4.4 Patient’s education in protecting information privacy .11
6 Information privacy education in healthcare .11
6.1 General concepts .11
6.2 Target audience of the privacy education .12
6.3 Competencies, educational objectives and content.12
7 Examples of content modules .16
7.1 General .16
7.2 Introduction to information privacy, confidentiality and security in healthcare .16
7.3 International guidelines and principles for information privacy protection .16
7.4 National legislation, regulation and policies for information privacy protection .16
7.5 Patient’s rights on personal health information .17
7.6 Administrative policies for privacy protection .17
7.7 Technical and physical safeguards for protecting healthcare information privacy .18
8 Instructional methods, delivery mechanisms and evaluation .19
8.1 Instructors .19
8.2 Instructional methods and delivery mechanisms .19
8.3 Delivering training .19
8.3.1 Orientation and on-boarding training .19
8.3.2 Continuing education . .20
8.3.3 Education of patients .20
8.4 Evaluation methods .20
Annex A (informative) ISO/TC215 Health informatics: List of standards on privacy protection .21
e
Annex B (informative) Setting learning objectives (example) (Source: Triag Training
Group, HIPAA training playbook) .22
Annex C (informative) Level of Learning Objectives by Audience (Provided by South Korea) .24
Annex D (informative) Educational methods (examples) .26
Annex E (informative) Questions for quiz for privacy education (example) (Provided by
South Korea) .27
Bibliography .32
© ISO 2017 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 18638:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
iv © ISO 2017 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 18638:2017(E)

Introduction
Health information privacy concerns need to be addressed with the expanding adoption of health
information technology (HIT) including the use of electronic health record (EHR) systems. Both the
increasingly legislated environment around privacy and the increasing need for information sharing
between patients, providers, payers, researchers and administrators contribute to the growing need
for information privacy education in the healthcare sector. In spite of increasing awareness of and
sensitivity to patient privacy, there are no guidelines or standardization for education on privacy of the
healthcare information within healthcare organizations.
The purpose of this document is to describe the essential educational components recommended
to ensure health information privacy in a healthcare organization. This document describes the
concepts of health information privacy, the components of a privacy education program for healthcare
organizations and basic health information privacy educational content that can be applied to various
jurisdictions.
This document provides guidance for healthcare organizations for establishing and improving the
health information privacy education for their workforce.
Annex A provides the list of standards published by ISO/TC 215 that may be used to develop privacy
education in healthcare organizations as they convey specific content and approach health information
privacy protection.
© ISO 2017 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 18638:2017(E)
Health informatics — Guidance on health information
privacy education in healthcare organizations
1 Scope
This document specifies the essential educational components recommended to establish and deliver
a privacy education program to support information privacy protection in healthcare organizations.
The primary users of this document are those responsible for planning, establishing and delivering
healthcare information privacy education to a healthcare organization.
This document provides the components of privacy education within the context of roles and job
responsibilities. It is the responsibility of the organization to define and apply privacy protection
policies and procedures and, in turn, ensure that all staff in the healthcare organization understands
their privacy protection responsibilities.
The scope of this document covers:
a) the concept of information privacy in healthcare;
b) the challenges of protecting information practices in the healthcare organization;
c) the components of a healthcare information privacy education program;
d) basic health information privacy educational content.
2 Normative references
There are no normative references for this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
access
ability or means necessary to read, write, modify, or communicate data/information or otherwise make
use of any system resources
[SOURCE: ISO/TR 18307:2001, 3.1]
3.2
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[SOURCE: ISO 17090-1:2013, 3.2.1]
© ISO 2017 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/TR 18638:2017(E)

3.3
anonymization
process by which personal identifiable information (PII) (3.21) is irreversibly altered in such a way that
a PII principal (3.22) can no longer be identified directly or indirectly, either by the PII controller (3.23)
alone or in collaboration with any other party
Note 1 to entry: See pseudonymization (3.33).
[SOURCE: ISO/IEC 27038:2014, 2.1, modified]
3.4
asset
anything that has value to the organization
Note 1 to entry: There are many types of assets, including:
a) information;
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills and experience, and
f) intangibles, such as reputation and image.
[SOURCE: ISO/IEC 27000: 2014, 3.6]
3.5
audit
systematic, independent, documented process for obtaining records, statements of fact or other relevant
information and assessing them objectively to determine the extent to which specified requirements
are fulfilled
[SOURCE: ISO/IEC 29110-2-1:2015, 4.7]
3.6
availability
property of data or of resources being accessible and usable on demand by an authorized entity
Note 1 to entry: This is the definition relevant to use in computer security.
[SOURCE: ISO/TS 27790:2009, 3.10]
3.7
confidentiality
property of data that indicates the extent to which these data have not been made available or disclosed
to unauthorized individuals, processes or other entities
[SOURCE: ISO/IEC 2382:2015, 2126249]
2 © ISO 2017 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/TR 18638:2017(E)

3.8
control
means of managing risk, including policies, procedures, guidelines, practices or organizational
structures, which can be administrative, technical, management or legal in nature
Note 1 to entry: Control is also used as a synonym for safeguard or countermeasure.
Note 2 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.
Note 3 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO/IEC 27000:2016, 2.16]
3.9
education
knowledge, skill and understanding that you get from attending a school, college, university or
vocational teaching
Note 1 to entry: The action or process of teaching someone especially in a school, college, or university.
Note 2 to entry: A field of study that deals with the methods and problems of teaching.
Note 3 to entry: Synonyms are learning, knowledge, literacy, scholarship and enlightenment
Note 4 to entry: Education (which is concept based) is different than training (3.39) (which is skill based).
3.10
healthcare
type of services is provided by professionals or paraprofessionals with an impact on health status
[SOURCE: ISO 27799:2016, 3.3]
3.11
healthcare organization
organization involved in the direct or indirect provision of healthcare services to an individual or to a
population
[SOURCE: ISO 13606-1:2008, 3.33]
3.12
health professional
person who is authorized by a recognized body to be qualified to perform certain health duties
Note 1 to entry: The defined term is often “healthcare professional”.
[SOURCE: ISO 27799:2016, 3.5]
3.13
identifiable person
one who can be identified, directly or indirectly, in particular by reference to an identification number
or one or more factors specific to his/her physical, physiological, mental, economic, cultural or social
identity
[SOURCE: ISO 22857:2013, 3.7]
3.14
information privacy
rights and obligations of individuals and organizations with respect to the collection, use, retention,
disclosure and disposal of personal information
[SOURCE: ISO/TS 14441:2013, 3.26]
© ISO 2017 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/TR 18638:2017(E)

3.15
information security
protection of information from (accidental or intentional) unauthorized access, use, disclosure,
disruption, modification or destruction
[SOURCE: ISO/TS 21547:2010, 3.2.24]
3.16
media
means by which information is perceived, expressed, stored or transmitted
EXAMPLE Audio, video, (animated) graphics, images, text.
Note 1 to entry: Medium (plural media).
[SOURCE: ISO/IEC 14478-1:1998, 3.2.2]
3.17
patient
subject of care consisting of one person
[SOURCE: ISO 13606-2:2008, 4.13]
3.18
personal information
information about an individual which can be used to identify that individual
Note 1 to entry: The specific information used for this identification will be that defined by national legislation.
Note 2 to entry: See personal identifiable information (PII) (3.21).
[SOURCE: ISO/IEC 27011:2008, 3.1.5]
3.19
personal health information
information about an identifiable person that relates to the physical or mental health of the individual
[SOURCE: ISO 27799:2016, 3.8]
3.20
personal health record
PHR
representation of information regarding or relevant to the health, including wellness, development, and
welfare of a subject of care, which may be stand-alone or integrating health information from multiple
sources, and for which the individual, or their authorized representative, manages and controls the PHR
content and grants permissions for access by and/or sharing with other parties
[SOURCE: ISO/TR 14639-2:2014, 2.60]
3.21
personal identifiable information
PII
information about a person that can be used to identify that individual
Note 1 to entry: The specific information used for this identification will be that defined by national legislation.
Note 2 to entry: See personal health information (3.19) and pseudonymization (3.33).
[SOURCE: ISO/IEC 27011:2008, 3.1.5]
4 © ISO 2017 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TR 18638:2017(E)

3.22
personal identifiable information principal
PII principal
person who granted/entrusted an organization with the ability to manage his/her PII
Note 1 to entry: See pseudonymization (3.33).
3.23
personal identifiable information controller
PII controller
person designated by an organization to control access to PII
Note 1 to entry: See pseudonymization (3.33).
3.24
policy
set of rules such as legal, political, organizational which can be expressed as obligations, permissions or
prohibitions
Note 1 to entry: Adapted from ISO/TS 22600-1:2014, 3.13.
[SOURCE: ISO/TR 14639-1:2012]
3.25
privacy
freedom from intrusion into the private life or affairs of an individual when that intrusion results from
undue or illegal gathering and use of data about that individual
[SOURCE: ISO/TS 27790:2009, 3.56]
3.26
privacy in healthcare
right of an individual to keep oneself and one`s health information concealed or hidden from
unauthorized access and view by others that rests on the principle of confidentiality between healthcare
providers and patients
3.27
privacy breach
situation where personal information (3.18) is collected, accessed, used or disclosed in an unlawful
manner or in violation of one or more relevant privacy policies
[SOURCE: ISO/TS 17975:2015, 3.26]
3.28
privacy manager
individual designated as a privacy official, who manages personal information directly or via another
person as part of his/her duties, who is responsible for developing and implementing its privacy policies
and procedures or a contact person or contact office responsible for receiving complaints and providing
individuals with information on the healthcare organization’s privacy practice
3.29
privacy protection
capacity to control when, how and to what degree information about oneself is communicated to others
3.30
privacy stakeholders
individuals involved in privacy protection (3.29) including PII principal (3.22), PII controller (3.23),
privacy manager (3.28) and other defined by the national regulation
© ISO 2017 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/TR 18638:2017(E)

3.31
procedure
specified way to carry out an activity or a process
[SOURCE: ISO 30000:2009, 3.12]
3.32
provider
person or organization that is involved in or associated with delivery of health care to a subject of care,
or caring for the well-being of a subject of care
Note 1 to entry: A provider in this context includes not only healthcare providers, but also those directly involved
in the provision of services to patients.
Note 2 to entry: The defined term is often “healthcare professional”. A convention has been adopted in this
document whereby the term “healthcare” is abbreviated to “health” when used in an adjectival form. When used
in a noun form, the word “care” is retained but as a separate word (e.g. delivery of health care).
[SOURCE: ISO/TS 27527:2010, 3.6]
3.33
pseudonymization
process applied to personal identifiable information (PII) (3.21) which replaces identifying information
with an alias
Note 1 to entry: Synonym is reduction, masking.
Note 2 to entry: Pseudonymization can be performed either by PII principals (3.22) themselves or by PII controllers
(3.23). See PII, PII principal and PII controller.
Note 3 to entry: Pseudonymization can be employed by PII principal to consistently use a resource or service
without disclosing his/her identity to this resource or service (or between services), while still being held
accountable for that use.
Note 4 to entry: Pseudonymization does not rule out the possibility that there might be (a restricted set
of) privacy stakeholders other than the PII principle controller of the pseudonymized data which are able to
determine the PII principal’s identity based on the alias and data linked to it.
[SOURCE: ISO/IEC 29100:2011, 2.24]
3.34
review
verification of the suitability, adequacy and effectiveness of selection and determination activities, and
the results of these activities, with regard to the fulfilment of specified requirements by an object of
conformity assessment
[SOURCE: ISO/TS 14441:2013, 3.44]
3.35
risk
combination of the probability of occurrence of harm and the severity of that harm
[SOURCE: ISO 10377:2013, 2.16]
3.36
risk management
coordinated activities to direct and control an organization with regard to risk (3.35)
[SOURCE: ISO/TS 16901:2015, 3.32]
6 © ISO 2017 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/TR 18638:2017(E)

3.37
subject of care
one or more persons scheduled to receive, receiving, or having received a health service
[SOURCE: ISO/TS 18308:2011, 3.47]
3.38
threat
potential cause of an unwanted incident that may result in harm to a system or organization
3.39
training
process by which someone is taught the skills that are needed for an art, profession or job
Note 1 to entry: The action of teaching a person or animal a particular skill or type of behaviour.
Note 2 to entry: The action of undertaking a course of exercise and diet in preparation for a sporting event.
Note 3 to entry: Exercise, exercises, working out, conditioning.
Note 4 to entry: See education (3.9).
3.40
workforce
people who provide a service or labor to contribute to business or organizational outcomes
[SOURCE: ISO 30409:2016, 10.1]
4 Abbreviations
EHR electronic health record
EN European Norm (Standard)
EU European Union
HIT health information technology
ID identification
ICT information and communication technology
OECD Organization for Economic Cooperation and Development
PHI personal health information
5 Understanding information privacy in healthcare
5.1 General concept
The internet and emerging health information and communication technologies are changing the way
that health professionals and the public gain access to health information, resulting in an expectation for
the increased use of such information. Although personal health information is personally private data,
such information may be used for public health, clinical research, medical education, policy making,
legislation enforcement, accreditation and other purposes for the betterment of society. Healthcare
organizations should develop a comprehensive approach to enable adequate protection of health
information privacy for their patients. Workforce education regarding health information privacy
should be an integral part of this approach including guidance on when and how health information
should be protected with regards to the specific workforce roles.
© ISO 2017 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/TR 18638:2017(E)

Privacy education in a healthcare organization is a set of educational resources tailored to the roles of
the workforce involved in the creation, management, sharing, use and re-use of health information. The
education should be built upon agreed international concepts and standards on the topic of information
privacy, in general, and health information privacy, specifically. Jurisdictional legislation should be
considered in the design and implementation of organizational policies and the procedures of the
privacy protection program as well as being an educational component of such a program. Educational
requirements need to be inclusive of local settings and legislation. Furthermore, these requirements
should consider information privacy and healthcare goals in the context of clinical care and other
information use.
5.2 Information privacy in healthcare
5.2.1 Personal health information and privacy
Health information contains unique sensitivity characteristics in terms of privacy. Personal health
information includes wide range of patient demographics including name, identification numbers,
address, phone number, education, marital status, socio-economic status and other individually
identifiable data points. Personal health information also includes data about physical and mental
health status, provision of healthcare services to a subject of care or payment for healthcare services
provided to a subject of care. It is collected or created in the context of scheduling delivery or payment
for a healthcare service including:
a) registration and identity verification of the individual for the provision of healthcare services;
b) information about the individual that is collected or created during the provision of healthcare
services to the individual;
c) information about the workforce involved in the provision of healthcare services to the individual;
d) results derived during the provision of healthcare services to the individual including test or
examination results, medications prescribed and other.
Such information may be considered sensitive by the person to whom it relates.
Personal health information may be shared with multiple providers involved in the provision of
healthcare services to the individual. In addition, this information can be re-used for a wide array of
purposes, such as clinical research, public health, training and other health related activities.
Personal health information that is collected during the delivery of healthcare services is recorded
in health records. It can reside in various media including paper records, electronic records, mobile
applications, films, specimens, etc. This information is collected, maintained, transmitted, stored,
used and re-used by workforce involved in the healthcare delivery. Therefore, it is the responsibility
of the healthcare organization as well as its workforce to protect privacy of health information for the
patients.
5.2.2 Patient’s rights on personal health information privacy
According to the 2002 guidelines on the protection of privacy and trans-border flows of personal data
from the Organization of Economic Cooperation and Development (OECD), priv
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.