1、 ISO 2017 Health informatics Guidance on health information privacy education in healthcare organizations Informatique de sant Composantes ducatives destines garantir la confidentialit des informations relatives la sant TECHNICAL REPORT ISO/TR 18638 Reference number ISO/TR 18638:2017(E) First editio
2、n 2017-06 ISO/TR 18638:2017(E)ii ISO 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, in
3、cluding photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerlan
4、d Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/TR 18638:2017(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviations. 7 5 Understanding information privacy in healthcare . 7 5.1 General concept 7 5.2 Information pr
5、ivacy in healthcare 8 5.2.1 Personal health information and privacy . 8 5.2.2 Patients rights on personal health information privacy . 8 5.3 Privacy concerns 9 5.4 Organizations privacy protection program . 9 5.4.1 Policies and practices to protect health information . 9 5.4.2 Roles of workforce in
6、protecting information privacy .10 5.4.3 Workforce education in protecting health information privacy 11 5.4.4 Patients education in protecting information privacy 11 6 Information privacy education in healthcare .11 6.1 General concepts 11 6.2 Target audience of the privacy education .12 6.3 Compet
7、encies, educational objectives and content12 7 Examples of content modules 16 7.1 General 16 7.2 Introduction to information privacy, confidentiality and security in healthcare .16 7.3 International guidelines and principles for information privacy protection .16 7.4 National legislation, regulation
8、 and policies for information privacy protection 16 7.5 Patients rights on personal health information .17 7.6 Administrative policies for privacy protection .17 7.7 Technical and physical safeguards for protecting healthcare information privacy 18 8 Instructional methods, delivery mechanisms and ev
9、aluation .19 8.1 Instructors .19 8.2 Instructional methods and delivery mechanisms .19 8.3 Delivering training 19 8.3.1 Orientation and on-boarding training 19 8.3.2 Continuing education . .20 8.3.3 Education of patients 20 8.4 Evaluation methods .20 Annex A (informative) ISO/TC215 Health informatic
10、s: List of standards on privacy protection .21 Annex B (informative) Setting learning objectives (example) (Source: Triag e Training Group, HIPAA training playbook) .22 Annex C (informative) Level of Learning Objectives by Audience (Provided by South Korea) .24 Annex D (informative) Educational meth
11、ods (examples) .26 Annex E (informative) Questions for quiz for privacy education (example) (Provided by South Korea) 27 Bibliography .32 ISO 2017 All rights reserved iii Contents Page ISO/TR 18638:2017(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of
12、 national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. Int
13、ernational organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those i
14、ntended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see
15、www .iso .org/ directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the doc
16、ument will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature of standard
17、s, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: w w w . i s o .org/ iso/ foreword .html. This document w
18、as prepared by Technical Committee ISO/TC 215, Health informatics.iv ISO 2017 All rights reserved ISO/TR 18638:2017(E) Introduction Health information privacy concerns need to be addressed with the expanding adoption of health information technology (HIT) including the use of electronic health recor
19、d (EHR) systems. Both the increasingly legislated environment around privacy and the increasing need for information sharing between patients, providers, payers, researchers and administrators contribute to the growing need for information privacy education in the healthcare sector. In spite of incr
20、easing awareness of and sensitivity to patient privacy, there are no guidelines or standardization for education on privacy of the healthcare information within healthcare organizations. The purpose of this document is to describe the essential educational components recommended to ensure health inf
21、ormation privacy in a healthcare organization. This document describes the concepts of health information privacy, the components of a privacy education program for healthcare organizations and basic health information privacy educational content that can be applied to various jurisdictions. This do
22、cument provides guidance for healthcare organizations for establishing and improving the health information privacy education for their workforce. Annex A provides the list of standards published by ISO/TC 215 that may be used to develop privacy education in healthcare organizations as they convey s
23、pecific content and approach health information privacy protection. ISO 2017 All rights reserved v Health informatics Guidance on health information privacy education in healthcare organizations 1 Scope This document specifies the essential educational components recommended to establish and deliver
24、 a privacy education program to support information privacy protection in healthcare organizations. The primary users of this document are those responsible for planning, establishing and delivering healthcare information privacy education to a healthcare organization. This document provides the com
25、ponents of privacy education within the context of roles and job responsibilities. It is the responsibility of the organization to define and apply privacy protection policies and procedures and, in turn, ensure that all staff in the healthcare organization understands their privacy protection respo
26、nsibilities. The scope of this document covers: a) the concept of information privacy in healthcare; b) the challenges of protecting information practices in the healthcare organization; c) the components of a healthcare information privacy education program; d) basic health information privacy educ
27、ational content. 2 Normative references There are no normative references for this document. 3 T erms a nd definiti ons For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: I
28、EC Electropedia: available at h t t p :/ www .electropedia .org/ ISO Online browsing platform: available at h t t p :/ www .iso .org/ obp 3.1 access ability or means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resources SOURCE: ISO/TR 18307:2
29、001, 3.1 3.2 access control means of ensuring that the resources of a data processing system can be accessed only by authorized entities in authorized ways SOURCE: ISO 17090-1:2013, 3.2.1 TECHNICAL REPORT ISO/TR 18638:2017(E) ISO 2017 All rights reserved 1 ISO/TR 18638:2017(E) 3.3 anonymization proc
30、ess by which personal identifiable information (PII) (3.21) is irreversibly altered in such a way that a PII principal (3.22) can no longer be identified directly or indirectly, either by the PII controller (3.23) alone or in collaboration with any other party Note 1 to entry: See pseudonymization (
31、3.33). SOURCE: ISO/IEC 27038:2014, 2.1, modified 3.4 asset anything that has value to the organization Note 1 to entry: There are many types of assets, including: a) information; b) software, such as a computer program; c) physical, such as computer; d) services; e) people, and their qualifications,
32、 skills and experience, and f) intangibles, such as reputation and image. SOURCE: ISO/IEC 27000: 2014, 3.6 3.5 audit systematic, independent, documented process for obtaining records, statements of fact or other relevant information and assessing them objectively to determine the extent to which spe
33、cified requirements are fulfilled SOURCE: ISO/IEC 29110-2-1:2015, 4.7 3.6 availability property of data or of resources being accessible and usable on demand by an authorized entity Note 1 to entry: This is the definition relevant to use in computer security. SOURCE: ISO/TS 27790:2009, 3.10 3.7 c on
34、 f ide nt i a l i t y property of data that indicates the extent to which these data have not been made available or disclosed to unauthorized individuals, processes or other entities SOURCE: ISO/IEC 2382:2015, 2126249 2 ISO 2017 All rights reserved ISO/TR 18638:2017(E) 3.8 control means of managing
35、 risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management or legal in nature Note 1 to entry: Control is also used as a synonym for safeguard or countermeasure. Note 2 to entry: Controls include any process, policy,
36、device, practice, or other actions which modify risk. Note 3 to entry: Controls may not always exert the intended or assumed modifying effect. SOURCE: ISO/IEC 27000:2016, 2.16 3.9 education knowledge, skill and understanding that you get from attending a school, college, university or vocational tea
37、ching Note 1 to entry: The action or process of teaching someone especially in a school, college, or university. Note 2 to entry: A field of study that deals with the methods and problems of teaching. Note 3 to entry: Synonyms are learning, knowledge, literacy, scholarship and enlightenment Note 4 t
38、o entry: Education (which is concept based) is different than training (3.39) (which is skill based). 3.10 healthcare type of services is provided by professionals or paraprofessionals with an impact on health status SOURCE: ISO 27799:2016, 3.3 3.11 healthcare organization organization involved in t
39、he direct or indirect provision of healthcare services to an individual or to a population SOURCE: ISO 13606-1:2008, 3.33 3.12 health professional person who is authorized by a recognized body to be qualified to perform certain health duties Note 1 to entry: The defined term is often “healthcare pro
40、fessional”. SOURCE: ISO 27799:2016, 3.5 3.13 ide nt i f i able p e r s on one who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity SOURCE
41、: ISO 22857:2013, 3.7 3.14 information privacy rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information SOURCE: ISO/TS 14441:2013, 3.26 ISO 2017 All rights reserved 3 ISO/TR 18638:2017(E) 3.15 information
42、security protection of information from (accidental or intentional) unauthorized access, use, disclosure, disruption, modification or destruction SOURCE: ISO/TS 21547:2010, 3.2.24 3.16 media means by which information is perceived, expressed, stored or transmitted EXAMPLE Audio, video, (animated) gr
43、aphics, images, text. Note 1 to entry: Medium (plural media). SOURCE: ISO/IEC 14478-1:1998, 3.2.2 3.17 patient subject of care consisting of one person SOURCE: ISO 13606-2:2008, 4.13 3.18 personal information information about an individual which can be used to identify that individual Note 1 to ent
44、ry: The specific information used for this identification will be that defined by national legislation. Note 2 to entry: See personal identifiable information (PII) (3.21). SOURCE: ISO/IEC 27011:2008, 3.1.5 3.19 personal health information information about an identifiable person that relates to the
45、 physical or mental health of the individual SOURCE: ISO 27799:2016, 3.8 3.20 personal health record PHR representation of information regarding or relevant to the health, including wellness, development, and welfare of a subject of care, which may be stand-alone or integrating health information fr
46、om multiple sources, and for which the individual, or their authorized representative, manages and controls the PHR content and grants permissions for access by and/or sharing with other parties SOURCE: ISO/TR 14639-2:2014, 2.60 3.21 p e r s o n a l i d e n t i f i a b l e i n f o r m a t i o n PII
47、information about a person that can be used to identify that individual Note 1 to entry: The specific information used for this identification will be that defined by national legislation. Note 2 to entry: See personal health information (3.19) and pseudonymization (3.33). SOURCE: ISO/IEC 27011:2008
48、, 3.1.54 ISO 2017 All rights reserved ISO/TR 18638:2017(E) 3.22 p e r s o n a l i d e n t i f i a b l e i n f o r m a t i o n p r i n c i p a l PII principal person who granted/entrusted an organization with the ability to manage his/her PII Note 1 to entry: See pseudonymization (3.33). 3.23 p e r s
49、 o n a l i d e n t i f i a b l e i n f o r m a t i o n c o n t r o l l e r PII controller person designated by an organization to control access to PII Note 1 to entry: See pseudonymization (3.33). 3.24 policy set of rules such as legal, political, organizational which can be expressed as obligations, permissions or prohibitions Note 1 to entry: Adapted from ISO/TS 22600-1:2014, 3.13. SOURCE: ISO/TR 14639-1:2012 3.25 privacy freedom from intrusion into the private life or affairs of an indi
