ISO/TS 18308:2004

TECHNICAL ISO/TS
SPECIFICATION 18308
First edition
2004-02-01

Health informatics — Requirements for
an electronic health record architecture
Informatique de santé — Exigences relatives à l'architecture de
l'enregistrement électronique en matière de santé




Reference number
ISO/TS 18308:2004(E)
©
ISO 2004

---------------------- Page: 1 ----------------------
ISO/TS 18308:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 18308:2004(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope. 1
2 Normative references . 1
3 Terms and definitions. 2
4 EHR architecture requirements framework. 7
5 EHR architecture requirements . 9
5.1 STR 1 — STRUCTURE . 9
5.2 PRO 2 — PROCESS . 14
5.3 COM 3 — COMMUNICATION. 17
5.4 PRS 4 — PRIVACY AND SECURITY . 17
5.5 MEL 5 — MEDICO-LEGAL . 19
5.6 ETH 6 — ETHICAL. 20
5.7 COC 7 — CONSUMER/CULTURAL. 21
5.8 EVO 8 — EVOLUTION. 22
Annex A (informative) Methodology for the development of this Technical Specification . 23
Bibliography (sources of EHR requirements) . 26

© ISO 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TS 18308:2004(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of normative document:
 an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in
an ISO working group and is accepted for publication if it is approved by more than 50 % of the members
of the parent committee casting a vote;
 an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical
committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting
a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a
further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is
confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an
International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TS 18308 was prepared by Technical Committee ISO/TC 215, Health informatics.
iv © ISO 2004 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 18308:2004(E)
Introduction
0.1 Overview
Before building a computer program for an electronic health record (EHR) system (or for any other application)
it is imperative to have a clear and detailed set of user and technical requirements. Equally, it is imperative to
develop a clear and detailed set of requirements for an EHR architecture for using, sharing, and exchanging
electronic health records, independent of the technology used to implement the EHR system. It should also be
independent of current organization structures. Many health informatics experts and healthcare professionals
believe it should be possible to develop an international standard for a comprehensive and widely applicable
architecture for the EHR globally. However, this cannot be achieved until the requirements for such a standard
have first been specified and agreed. That is the principal purpose of this Technical Specification.
There has already been a large volume of work done internationally over the past decade on public domain
EHR architecture requirements. In very broad terms the requirements for a truly global EHR should ensure
that it can be used, shared, and exchanged between clinicians of all disciplines, across all sectors of health,
different countries, and different models of healthcare and healthcare delivery. It should also support
secondary uses such as research, epidemiology, population health, health administration, financing, and
health service planning. Finally, it should facilitate the evolution of existing systems as well as the construction
of new systems.
0.2 What is an EHR?
Before defining the EHR architecture, it is first necessary to agree on the meaning and scope of the EHR itself.
There is as yet no single ISO definition of the EHR. A number of common definitions for the EHR from a
variety of different organizations are listed in Clause 3. These definitions range from very succinct to quite
lengthy and encompass a range of somewhat different scopes. This is not surprising since several of these
definitions originally referred to the more or less variant names for the EHR including the EHCR (Electronic
Health Care Record), EPR (Electronic Patient Record), CPR (Computerized Patient Record), and EMR
(Electronic Medical Record). Whilst it is recognised that these terms are sometimes given different shades of
meaning in different countries and different health sectors (e.g. the English NHS makes a distinction between
the EHR and the EPR), it is intended that the requirements in this Technical Specification will generally apply
to all of these variants.
0.3 What is an EHR architecture?
The principal definition of an electronic health record architecture (EHRA) used in this Technical Specification
is:
“the generic structural components from which all EHRs are built, defined in terms of an information model”.
A more descriptive definition is:
“a model of the generic features necessary in any electronic healthcare record in order that the record may be
communicable, complete, a useful and effective ethico-legal record of care, and may retain integrity across
systems, countries, and time. The Architecture does not prescribe or dictate what anyone stores in their
healthcare records. Nor does it prescribe or dictate how any electronic healthcare record system is
implemented. . [It] places no restrictions on the types of data which can appear in the record, including those
which have no counterpart in paper records. . Details like “field sizes”, coming from the world of physical
databases, are not relevant to the electronic healthcare record Architecture.” (EU-CEN, 1997)
Note that the exclusions specified in this definition highlight the ability of an EHR architecture to encompass a
variety of different EHR implementations to suit different purposes. For example, the definitions of EHR
architecture above make no assumptions about the healthcare system of any country or region. They also
© ISO 2004 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/TS 18308:2004(E)
make no assumptions about the granularity of information in the record or the temporal nature of the record. A
hospital ICU record is an episodic record and is likely to be more granular than a longitudinal primary care
record but both should be able to conform to a well constructed EHR architecture which meets the
requirements in this Technical Specification.
The EHR architecture should be broadly applicable to all healthcare sectors, professional healthcare
disciplines, and methods of healthcare delivery. A “consumer” or “personal” EHR should be able to conform to
the same EHR architecture as a more traditional EHR used by providers such as medical specialists, nurses,
general practitioners and providers of allied health services. The same EHR architecture should be applicable
to all variants of the EHR, regardless of whether these are called an EMR, EHCR, EPR, CPR, PHR or
whatever.
An open standardised EHR architecture is the key to interoperability at the information level. A standardised
EHR architecture enables the whole or parts of the EHR to be shared and exchanged between authorized
members of a multi-disciplinary care team, including the patient/consumer, independently of any particular
EHR system. EHR information conforming to a standardised EHR architecture should be capable of being
accepted, processed and presented by an EHR system that uses the EHR architecture irrespective of the
source application or the operating system, database, and hardware on which the EHR system depends.
0.4 Methodology for the development of this Technical Specification
The EHR requirements in this Technical Specification are derived from over 30 primary sources which were
found by extensive literature search and input from member countries. This initial set of over 700 source
requirements was reduced to around 600 by the exclusion of duplicate requirements statements and
requirements which clearly related to EHR systems rather than to the record. A hierarchical framework of
headings for different types of requirements was developed and successively refined during the project. The
final stage of the project was the development of a smaller consolidated set of 123 requirements which
encapsulate the larger set of source requirements and which use a consistent format of presentation. Further
background on the development methodology is contained in Annex A.
The following sub-sections “Purpose of the EHR” and “Principles underpinning the EHR” have been derived
from the EHR requirements source material. The “Purpose of the EHR” is derived principally from GEHR-08,
1994, with some modification. The “Principles underpinning the EHR” is an amalgam of material from several
sources of the original requirements. A short list of EHR characteristics from EHR Design Principles
(openEHR, 2002) is also included. These three sub-sections are included here to provide further context for
this Technical Specification in terms of the features and functions of EHR systems that must be supported in
defining any EHRA from which such EHR systems will ultimately be developed.
0.5 Purpose of the EHR (GEHR-08, 1994, modified)
The primary purpose of the EHR is to provide a documented record of care which supports present and future
care by the same or other clinicians. This documentation provides a means of communication among
clinicians contributing to the patient's care. The primary beneficiaries are the patient/consumer and the
clinician(s).
Any other purpose for which the medical record is used is considered secondary, as is any other beneficiary.
Much of the content of EHRs is now defined by the secondary purposes, as the information collected for
primary purposes was insufficient for many secondary purposes such as billing, policy and planning, statistical
analysis, accreditation etc.
The secondary uses of EHRs are:
 Medico-legal — evidence of care provided, indication of compliance with legislation, reflection of the
competence of clinicians.
 Quality management — continuous quality improvement studies, utilisation review, performance
monitoring (peer review, clinical audit, outcomes analysis), benchmarking, accreditation.
 Education — of students of the health professions, patients/consumers, and clinicians.
vi © ISO 2004 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/TS 18308:2004(E)
 Research — development and evaluation of new diagnostic modalities, disease prevention measures and
treatments, epidemiological studies, population health analysis.
 Public and population health.
 Policy development — health statistics analysis, trends analysis, casemix analysis.
 Health service management — resource allocation and management, cost management, reports and
publications, marketing strategies, enterprise risk management.
 Billing/finance/reimbursement — insurers, government agencies, funding bodies.
NOTE Many of the secondary uses of the EHR may require additional data which are not contained in the EHR.
0.6 Principles underpinning the EHR
The EHR should be timely, reliable, complete, accurate, secure and accessible and designed to support the
delivery of healthcare services regardless of the model of healthcare being applied. It should interoperate in a
way which is truly global yet respects local customs, language and culture.
The EHR should not be considered applicable only to patients, that is, individuals with the presence of some
pathological condition. Rather, the focus should be on individual's health, encompassing both well-being and
morbidity.
The EHR recognises that an individual's health data will be distributed over different systems, and in different
locations around the world. To achieve the integration of data, the EHR will require the adoption of a common
information model by compliant systems and the adoption of relevant international standards wherever
possible.
To permit the development of meaningful EHR standards, boundaries must exist to define what is and is not
regarded as part of the EHR at the time of standardization.
0.7 Characteristics of the EHR (openEHR, 2002)
 the EHR is patient/consumer-centred, and ideally includes information relevant to all kinds of carers,
including allied health, and emergency services as well as patients themselves. This is in contrast to
provider-centred or purely episodic records;
 the EHR contains observations (what has occurred), opinions (decisions about what should occur), and
care plans (plans for what should occur);
 the level of abstraction of the EHR is generalist, that is to say, specialised information such as images,
guidelines or decision support algorithms are not typically part of the EHR per se; rather interfaces exist
to standards for other, specialised, systems;
 the EHR is a sink of diagnostic and other test data;
 the EHR is a source of clinical information for human carers, decision support, research purposes,
governments, statistical bureaux, and other entities;
 the EHR is a long-term accumulator of information about what has happened to or for the patient.

© ISO 2004 – All rights reserved vii

---------------------- Page: 7 ----------------------
TECHNICAL SPECIFICATION ISO/TS 18308:2004(E)

Health informatics — Requirements for an electronic health
record architecture
1 Scope
The purpose of this Technical Specification is to assemble and collate a set of clinical and technical
requirements for an electronic health record architecture (EHRA) that supports using, sharing, and exchanging
electronic health records across different health sectors, different countries, and different models of healthcare
delivery.
This Technical Specification gives requirements for the architecture but not the specifications of the
architecture itself.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
NOTE In addition to these references cited as sources of the definitions in Clause 3, this Technical Specification
contains in the Bibliography a list of references used as inspiration for the formulation of the EHR requirements.
ASTM E 1769-95, Standard Guide for Properties of Electronic Health Records and Record Systems
ISO/IEC 2382-8:1998, Information technology — Vocabulary — Part 8: Security
ENV 13606-1:2000, Health informatics — Electronic healthcare record communication — Part 1: Extended
architecture
ISO/TS 17090-1:2002, Health informatics — Public key infrastructure — Part 1: Framework and overview
CPRI:1995, Computer-based Patient Record Institute. Description of the Computer-based Patient Record
(CPR) and Computer-based Patient Record System. May 1995
EU-CEN:1997, European Committee for Standardisation (CEN). Proceedings of the second EU-CEN
workshop on the electronic healthcare record. CEN, 1997
FEAF:2001, CIO Council. A Practical Guide to Federal Enterprise Architecture. Available at:

OHIH:2001, Office of Health and the Information Highway, Tactical plan for a pan-Canadian Health
infostructure”, Health Canada. 2001
Zachman:1996, Zachman J. Enterprise Architecture: The Issue of the Century. Zachman International, 1996
© ISO 2004 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/TS 18308:2004(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
access control
a means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[ISO/IEC 2382-8:1998]
3.2
accountability
the property that ensures that the actions of an entity may be traced uniquely to that entity
[ISO/IEC 2382-8:1998]
3.3
actor (in the healthcare system)
health professional, healthcare employee, patient/consumer, sponsored healthcare provider, healthcare
organisation, device or application that acts in a health related communication or service
[ISO/TS 17090-1:2002, modified]
3.4
architecture
that set of design artefacts or descriptive or descriptive representations that are relevant for describing an
object such that it can be produced to requirements (quality) as well as maintained over the period of its useful
life (change)
[Zachman:1996]
3.5
archiving (of an EHR)
the process of moving one or more EHR extracts to off-line storage in a way that ensures the possibility of
restoring them to on-line storage when needed without loss of meaning
NOTE Wherever possible, archived data should be technology-independent so that future users do not have
dependencies on obsolete technology from the past.
3.6
attestation
the process of certifying and recording legal responsibility for a particular unit of information
3.7
audit trail
a chronological record of activities of information system users which enables prior states of the information to
be faithfully reconstructed
3.8
authentication
the act of verifying the claimed identity of an entity
[ISO/IEC 2382-8:1998]
2 © ISO 2004 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TS 18308:2004(E)
3.9
authorization
the granting of rights, which includes the granting of access based on access rights
[ISO/IEC 2382-8:1998]
3.10
availability (in computer security)
the property of data or of resources being accessible and usable on demand by an authorized entity
[ISO/IEC 2382-8:1998]
3.11
clinical process
the steps that are involved in the delivery of healthcare services to a patient/consumer
3.12
clinician
a healthcare professional who is delivers healthcare services directly to a patient/consumer
3.13
confidentiality
the property of data that indicates the extent to which these data have not been made available or disclosed to
unauthorized individuals, processes, or other entities
[ISO/IEC 2382-8:1998]
3.14
consumer (in relation to healthcare services)
a person requiring, scheduled to receive, receiving or having received a healthcare service
3.15
data aggregation
a process by which information is collected, manipulated and expressed in summary form. Data aggregation is
primarily performed for reporting purposes, policy development, health service management, research,
statistical analysis, and population health studies
3.16
data validation
a process used to determine if data are accurate, complete, or meet specified criteria
NOTE Data validation may include format checks, completeness checks, check key tests, reasonableness checks,
and limit checks.
[ISO/IEC 2382-8:1998]
3.17
electronic health record
EHR
NOTE 1 There is as yet no one internationally accepted definition of the electronic health record. The definitions below
have more similarities than differences but do reflect slightly different shades of meaning between different countries and
organizations.
NOTE 2 The abbreviation EHR will be considered synonymous with abbreviations used elsewhere such as EHCR,
CPR, EPR, and EMR. These abbreviations will only be used when referring to the names of particular projects or
organisations, or in direct quotations from references.
an electronic longitudinal collection of personal health information, usually based on the individual, entered or
accepted by health care providers, which can be distributed over a number of sites or aggregated at a
© ISO 2004 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/TS 18308:2004(E)
particular source. The information is organised primarily to support continuing, efficient and quality health care.
The record is under the control of the consumer and is stored and transmitted securely
[NEHRT:2000]
a longitudinal collection of personal health information of a single individual, entered or accepted by health
care providers, and stored electronically. The record may be made available at any time to providers, who
have been authorized by the individual, as a tool in the provision of health care services. The individual has
access to the record and can request changes to its contents. The transmission and storage of the record is
under strict security
[OHIH:2001]
a collection of data and information gathered or generated to record clinical care rendered to an individual
[ASTM E 1769:1995]
a comprehensive, structured set of clinical, demographic, environmental, social, and financial data and
information in electronic form, documenting the health care given to a single individual
[ASTM E 1769:1995]
a healthcare record in computer readable format
[ENV 13606-1:2000]
an electronic patient record that resides in a system designed to support users through availability of complete
and accurate data, practitioner reminders and alerts, clinical decision support systems, links to bodies of
medical knowledge, and other aids
[IOM:1991]
a virtual compilation of non-redundant health data about a person across a lifetime, including facts,
observations, interpretations, plans, actions, and outcomes. Health data include information on allergies,
history of illness and injury, functional status, diagnostic studies, assessments, orders, consultation reports,
treatment records, etc. Health data also include wellness data such as immunization history, behavioural data,
environmental information, demographics, health insurance, administrative data for care delivery processes,
and legal data such as consents
[CPRI:1995]
3.18
electronic health record architecture
EHRA
the generic structural components from which all EHRs are built, defined in terms of an information model
NOTE a model of the generic features necessary in any electronic healthcare record in order that the record may be
communicable, complete, a useful and effective ethico-legal record of care, and may retain integrity across systems,
countries, and time. The Architecture does not prescribe or dictate what anyone stores in their healthcare records. Nor
does it prescribe or dictate how any electronic healthcare record system is implemented. . [It] places no restrictions on
the types of data which can appear in the record, including those which have no counterpart in paper records. . Details
like “field sizes”, coming from the world of physical databases, are not relevant to the electronic healthcare record
Architecture.
[EU-CEN:1997]
3.19
EHR extract
the unit of communication of the EHR which is itself attestable and which consists of one or more EHR
transactions
4 © ISO 2004 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/TS 18308:2004(E)
3.20
EHR system
the set of components that form the mechanism by which patient records are created, used, stored, and
retrieved. It includes people, data, rules and procedures, processing and storage devices, and communication
and support facilities
[IOM:1991]
a system for recording, retrieving, and manipulating information in electronic health records
[ENV 13606-1:2000]
3.21
EHR transaction
the minimum unit of storage, review, modification, version control, and transfer within an EHR
3.22
encounter
patient contact
a contact between a clinician and patient
NOTE Each encounter may relate to one or more problems.
[NZ EMR:1998, modified]
3.23
episode (of care)
identifiable grouping of healthcare related activities characterized by the entity relationship between the
subject of care and a healthcare provider, such grouping determined by the healthcare provider
[ENV 13606-1:2000, modified]
3.24
event (in relation to the EHR)
a discrete activity of the healthcare system on, with, or for the patient
3.25
framework
a logical structure for classifying and organising complex information
[FEAF:1999]
3.26
healthcare professional
person who is authorised by a nationally recognised body to be qualified to perform certain health duties
[ISO/TS 17090-1:2002]
3.27
healthcare record
a repository of information regarding the health of a subject of care
[ENV 13606-1:2000]
3.28
integrity (of data)
the property of data whose accuracy and consistency are preserved regardless of changes made
[ISO/IEC 2382-8:1998]
© ISO 2004 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/TS 18308:2004(E)
3.29
non-repudiation
the capacity for any actor to obtain proof that confirms the integrity and origin of a data item and cannot be
forged
3.30
patient
an individual person that is a subject of care
3.31
privacy
freedom from intrusion into the private life or affairs of an individual when that in
...