ISO/TR 21089:2004

TECHNICAL ISO/TR
REPORT 21089
First edition
2004-06-01

Health informatics — Trusted end-to-end
information flows
Informatique de santé — Flux d'informations “trusted end-to-end”



Reference number
ISO/TR 21089:2004(E)
©
ISO 2004

---------------------- Page: 1 ----------------------
ISO/TR 21089:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 21089:2004(E)
Contents Page

FOREWORD. v
1 SCOPE . 1

2 REFERENCES. 1

3 TERMS AND DEFINITIONS. 2

4 ABBREVIATED TERMS.14
5 OVERVIEW - CHARACTERISTICS ESSENTIAL TO TRUSTED END-TO-END
INFORMATION FLOWS.16
6 HEALTH RECORD TRUST STAKEHOLDERS .17
7 PRINCIPLES AND OBJECTIVES .18
7.1. ENSURED TRUST.18
7.2. TRUST STAKEHOLDERS.18
7.3. HEALTH RECORD RIGHTS .18
7.4. HEALTH RECORD OBLIGATIONS .19
7.5. HEALTH RECORD COMPOSITION .19
7.6. HEALTHCARE ENTITIES AND THEIR ACCOUNTABLE ACTIONS.19
7.7. HEALTHCARE AGENTS AND THEIR ACCOUNTABLE ACTIONS .19
7.8. SCOPE OF ACCOUNTABILITY, UNIT OF ACCOUNTABILITY.19
7.9. AUTHENTICATION.20
7.10. AUDITABILITY .20
7.11. CHAIN OF TRUST.20
7.12. FAITHFULNESS, PERMANENCE, PERSISTENCE AND INDELIBILITY .20
7.13. DATA DEFINITION, DATA REGISTRY .20
7.14. DATA INTEGRITY .20
7.15. COMPLETENESS .20
8 INFORMATION FLOW PERSPECTIVES .21
8.1 DOWNSTREAM PERSPECTIVE - HEALTH RECORD SUBJECT .21
8.2 DOWNSTREAM PERSPECTIVE - ENTITY(IES) ACCOUNTABLE FOR HEALTH RECORD CONTENT .22
8.3 UPSTREAM PERSPECTIVE - ENTITY(IES) ACCOUNTABLE FOR HEALTH RECORD ACCESS/USE .23
9 ENTITIES, HEALTH SERVICE ACTS AND CORRESPONDING PERSISTENT ACT
RECORDS.24
10  HEALTH SERVICE ACT - VITAL CONTEXTS - AS DOCUMENTED IN THE ACT RECORD
..............................................................................................................................................................26
10.1. ACCOUNTABILITY CONTEXT.26
10.2. DATA INTEGRITY CONTEXT.26
10.3. CLINICAL CONTEXT.26
10.4. ADMINISTRATIVE/OPERATIONAL CONTEXT.26
11 ROLES AND RELATIONSHIPS (EXAMPLE).27
11.1. SUBJECT OF CARE AND PROVIDERS.27
11.2. HEALTH SERVICES .27
11.3. HEALTH RECORD .27
11.4. INDIVIDUALS, ORGANIZATIONS, BUSINESS UNITS .27
11.5. INTER-HEALTHCARE PROFESSIONAL.27
© ISO 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 21089:2004(E)
12 KEY DEFINITION AND TRACE/AUDIT POINTS IN TRUSTED END-TO-END INFORMATION
FLOWS.28
12.1. ACT RECORD - POINT OF DEFINITION.30
12.2.1. HEALTH SERVICE ACT - POINT OF SERVICE/CARE.31
12.2.2. ACT RECORD - POINT OF ORIGINATION.32
12.3.1. HEALTH SERVICE ACT - POINT OF PROGRESSION OR COMPLETION.34
12.3.2. ACT RECORD - POINT OF AMENDMENT .34
12.4. ACT RECORD - POINT OF TRANSLATION .35
12.5. ACT RECORD - POINT OF ACCESS/USE.36
12.6.1. ACT RECORD - POINT OF DE-IDENTIFICATION, ALIASING.37
12.6.2. ACT RECORD - POINT OF RE-IDENTIFICATION .38
12.7. ACT RECORD - POINT OF CONVERGENCE: E.G., AGGREGATION, SUMMARIZATION OR
DERIVATION . 39
12.8.1. ACT RECORD - POINT OF DISCLOSURE, TRANSMITTAL.40
12.8.2. ACT RECORD - POINT OF REPORTING .40
12.9. ACT RECORD - POINT OF RECEIPT.42
12.10. ACT RECORD - POINT OF ARCHIVAL .44
12.11. ACT RECORD - POINT OF LOSS, DESTRUCTION OR DELETION.45
BIBLIOGRAPHY.46
iv © ISO 2004 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 21089:2004(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical committees.
Each member body interested in a subject for which a technical committee has been established has the right to be
represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also
take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the
technical committees are circulated to the member bodies for voting. Publication as an International Standard requires
approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example), it may decide by a simple majority vote of
its participating members to publish a Technical Report. A Technical Report is entirely informative in nature and does not
have to be reviewed until the data it provides are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights.
ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 21089 was prepared by Technical Committee ISO/TC 215, Health informatics.
© ISO 2004 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 21089:2004(E)

Health informatics — Trusted end-to-end information flows

1 Scope
Health(care) records form persistent evidence of health status and the provision and completeness of
health(care) services, being retained in electronic and/or other media. Health(care) records often contain
Protected Health Information (PHI), typically defined as "individually-identifiable health information", and thus
incur safeguards exceeding the ordinary.
The prime unit of health(care) record-keeping is the Entity/Act Record, the authenticatable unit of the health
record, evidencing (documenting) the performance/completion of an Act by an Entity and preserving the
Accountability Context of the Entity for the Act. (Note that the Entity/Act is central to Health Level Seven's
Version 3 Reference Information Model.)
Trusted stewardship, retention and interchange of Entity/Act Records/PHI requires vital safeguards such as
traceability and audit. This Technical Report offers an information flow methodology for units of the
health(care) record/PHI, particularly the Entity/Act Record, and specifies critical Trace Points (audit events)
in that flow including: record/PHI origination, authentication, amendment, translation, access/use,
transmittal/disclosure, receipt, de-identification/re-identification, archival, etc.
This Technical Report offers an informative guide to trusted end-to-end information flow for health(care)
records and to the key Trace Points and audit events in the electronic Entity/Act Record lifecycle (from point
of record origination to each ultimate point of record access/use). It also offers recommendations regarding
the trace/audit detail relevant to each.
This Technical Report offers recommendations of best practice for healthcare providers, health record
stewards, software developers and vendors, end users and other stakeholders, including patients.
2 References
ISO/IEC Guide:1996, Guide 2: definition 3.2
ISO/IEC 2382-8:1998, Information technology — Vocabulary — Part 8: Security
ISO 6523-1:1998, Information technology — Structure for the identification of organizations and organization
parts — Part 1: Identification of organization identification schemes
ISO 7498-2:1989, Information processing systems — Open Systems Interconnection — Basic Reference
Model — Part 2: Security Architecture
ISO/IEC 10746-2:1996, Information technology — Open Distributed Processing — Reference Model:
Foundations
ISO/IEC 10746-3:1996, Information technology — Open Distributed Processing — Reference Model:
Architecture
ISO/IEC 10746-4:1998, Information technology — Open Distributed Processing — Reference Model:
Architectural Semantics
ISO/IEC 15408-1:1999, Information technology — Security techniques — Evaluation criteria for IT security
— Part 1: Introduction and general model
ISO/IEC 17799, Information technology — Code of practice for information security management
© ISO 2004 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/TR 21089:2004(E)

3 Terms and definitions
3.1
access
ability or the means necessary to read, write, modify, or communicate data/information or otherwise make
use of any system resource
[HIPAA]
provision of an opportunity to approach, inspect, review, make use of data or information
[CPRI]
specific type of interaction between a subject and an object that results in the flow of information from one to
the other
[GCST]
3.2
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[ISO/IEC 2382-8]
prevention of an unauthorized use of a resource, including the prevention of use of a resource in an
unauthorized manner
[ISO 7498-2]
policies and procedures preventing access by those who are not authorized to have it
[IOM]
3.3
accountability
property that ensures that the actions of an entity can be traced uniquely to the entity
[ISO 7498-2]
concept that individual persons or entities can be held responsible for specified actions
[NRC]
obligation to disclose periodically, in adequate detail and consistent form, to all directly and indirectly
responsible or properly interested parties, the purposes, principles, procedures, relationships, results,
incomes and expenditures involved in any activity, enterprise, or assignment so that they can be evaluated
by the interested parties
[JCAHO]
3.4
actor
•with respect to an action •an enterprise object (or entity) that participates in the action
[ISO/IEC 15414]
3.5
agent
enterprise object (or entity) that has been delegated (authority, a function, etc.) by and acts for another (in
exercising the authority, performing the function, etc.)
3.6
application
identifiable computer running a software process
NOTE 1 In this context, it may be any software process used in healthcare information systems including those without
any direct role in treatment or diagnosis.
NOTE 2 In some jurisdictions, including software processes may be regulated medical devices.
2 © ISO 2004 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/TR 21089:2004(E)
3.7
architecture
set of principles on which the logical structure and interrelationships to an organization and business context
are based
NOTE Software architecture is the result of software design activity.
3.8
archived (records)
archival (records)
healthcare data saved for later reference or use, possibly off-line
[COACH]
3.9
assurance
grounds for confidence, surety, certitude
grounds for confidence that an entity meets its security objectives
[ISO/IEC 15408-1:1999]
development, documentation, testing, procedural and operational activities carried out to ensure a system's
security services do in fact provide the claimed level of protection
[OMG 97]
3.10
audit control
mechanisms employed to record and examine system activity
3.11
audit trail
record of the resources which were accessed and/or used by whom
[ISO 7498-2]
documentary evidence of monitoring each operation (of healthcare entities) on health information
[NRC]
chronological record of system activities that is sufficient to enable the reconstruction, reviewing and
examination of the sequence of environments and activities surrounding or leading to an operation, a
procedure, or an event in a transaction from its inception to final results
[GCST]
3.12
authentication of health record entries
process used to verify that an entry is complete, accurate and final
[JCAHO]
3.13
authentication
providing assurance regarding the identity of a subject (author) or object (information)
[ASTM E1762]
3.14
authentication (data)
verification of the integrity of data that have been stored, transmitted or otherwise exposed to possible
unauthorized modification
[GCST]
3.15
authentication (data source)
corroboration that the source of data received is as claimed
[ISO 7498-2]
3.16
© ISO 2004 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/TR 21089:2004(E)
authentication (user)
provision of assurance of the claimed identity of an entity
[ISO/IEC 10181-2]
3.17
authorize
authorization
granting of rights, which includes granting of access based on access rights
[ISO 7498-2]
prescription that a particular behaviour must not be prevented
[ISO/IEC 15414]
3.18
authorized user
user who may, in accordance with the Security Policy, perform an operation
3.19
availability
property of being accessible and useable upon demand by an authorized entity
[ISO 7498-2]
prevention of the unauthorized withholding of information or resources
[ITSEC]
3.20
business unit
discrete and accountable function or sub-function within an organization
NOTE For example, a business unit includes a department, service or speciality of a healthcare provider organization.
3.21
care
provision of accommodations, comfort and treatment to an individual subject of care (patient), also implying
responsibility for safety
[JCAHO]
3.22
caregiver
cf. healthcare professional
3.23
clinical information
information about a subject of care, relevant to the health or treatment of that subject of care, that is
recorded by or on behalf of a healthcare person
[CEN ENV 1613:1995]
data/information related to the health and healthcare of an individual collected from or about an individual
receiving healthcare services: includes a caregiver's objective measurement or subjective evaluation of a
patient's physical or mental state of health; descriptions of an individual's health history and family health
history; diagnostic studies; decision rationale; descriptions of procedures performed; findings; therapeutic
interventions; medication prescribed; description of responses to treatment; prognostic statements; and
descriptions of socio-economic and environmental factors related to the patient's health
[ASTM E1769, CPRI]
3.24
code set
any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical
diagnostic codes, or medical procedure codes
3.25
coding scheme
4 © ISO 2004 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TR 21089:2004(E)
collection of rules that maps the elements of one set on to the elements of a second set
3.26
complete health record
final, assembled and authenticated, health record for an individual
(health) record is complete when a) its contents reflect the diagnosis, results of diagnostic tests, therapy
rendered, condition and progress (of the subject of care), and condition (of the subject of care) at discharge,
and b) its contents, including any required clinical résumé or final progress notes, are assembled and
authenticated, and all final diagnoses and any complications are recorded without use of symbols or
abbreviations
[JCAHO]
3.27
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities or processes
[ISO 7498-2]
condition in which information is shared or released in a controlled manner
[NRC]
prevention of the unauthorized disclosure of information
[ITSEC]
restriction of access to data and information to individuals who have a need, a reason and permission for
access
[JCAHO]
status accorded to data or information indicating that it is sensitive for some reason, and that therefore it
needs to be protected against theft or improper use and must be disseminated only to individuals or
organizations authorized to have it
[OTA]
3.28
credentials (for identity)
data that are transferred to establish the claimed identity of an entity
[ISO/IEC 2382-8]
3.29
credentials (for healthcare practice)
documented evidence of (a healthcare professional's) licensure, education, training, experience, or other
qualifications
[JCAHO]
3.30
criteria
expected level(s) of achievement, or specifications against which performance can be assessed
[JCAHO]
3.31
data attribute, element or item
single unit of data that in a certain context is considered indivisible
3.32
data transmission
data transmittal
sending of data or information from one location to another location
[JCAHO]
exchange of data between person and program, or program and program, when the sender and receiver are
remote from each other
[CPRI]
© ISO 2004 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/TR 21089:2004(E)
3.33
de-identified data
data resulting from personally identifiable information after the process of removing or altering one or more
attributes so that the (direct or indirect) identification of the relevant person without knowledge of the initial
information is either impossible or requires an unreasonable amount of time and manpower
[MEDSEC]
3.34
digital signature
data appended to, or a cryptographic transformation (see cryptography) of a data unit that allows a recipient
of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the
recipient
[ISO 7498-2]
electronic signature based upon cryptographic methods of originator authentication, computed by using a
set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be
verified
[HIPAA]
NOTE This term is usually reserved for digital values or checksums calculated using asymmetric techniques, where only
the originator of the message can generate the digital signature but many people can verify it.
3.35
disclosure (of health information)
release, transfer, provision of access to, or divulging in any other manner of information outside the entity
holding the information
[HIPAA]
release of information to third parties within or outside the healthcare provider organization from an
individual's (health) record with or without the consent of the individual to whom the record pertains
[CPRI]
3.36
documentation
process of recording information in the (health) record
[JCAHO]
3.37
electronic health record
EHR
electronic healthcare record
ECHR
health record concerning the subject of care in computer-readable form
[CEN ENV13606-1]
3.38
entity
object modelling a natural person or any other entity considered to have the same rights, powers and duties
of a natural person
[ISO/IEC 15414]
3.39
episode of care
identifiable grouping of healthcare related activity characterized by the entity relationship between the
subject of care and a healthcare provider, such a grouping determined by the healthcare provider
3.40
health information
any information, whether oral or recorded in any form or medium, that a) is created or received by a
healthcare provider, health plan, public health authority, employer, life insurer, school or university, or
healthcare clearing-house; and b) relates to the past, present, or future physical or mental health or
condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment
6 © ISO 2004 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/TR 21089:2004(E)
for the provision of healthcare to an individual
[HIPAA]
3.41
health record
healthcare record
account compiled [by healthcare entities (e.g., healthcare professionals)] of a variety of (subject of care)
health information, such as the (subject of care's) assessment findings, treatment details and progress notes
[JCAHO]
3.42
health record entry
healthcare record entry
dataset, suitably attributed, which forms part of, or a whole, contribution to a health(care) record at one place
and time
[CEN ENV 13606-2]
3.43
healthcare
care, services, or supplies related to the health of an individual
[HIPAA]
NOTE Includes any: a) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counselling,
service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the
structure or function of the body; b) sale or dispensing of a drug, device, equipment, or other item pursuant to a
prescription; or c) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.
3.44
healthcare agent
medical devices (e.g. instruments, monitors) and software (e.g. applications, components) which: a) perform
a role in the provision of healthcare services; and/or b) are accountable for actions related to, and/or
ascribed in, the health record
[CEN ENV12265, modified]
3.45
healthcare data
data which are input, stored, processed or output by the automated information system which support the
clinical and business functions of a healthcare organization; these data may relate to person identifiable
records or may be part of an administrative system where persons are not identified
[HL7]
3.46
healthcare informatics
scientific discipline that is concerned with the cognitive, information processing and communication tasks of
healthcare practice, education and research, including the information science and technology to support
these tasks
[Directory of the European Standardization Requirements for Healthcare Informatics and Telematics v2.1,
1994]
3.47
healthcare organization
generic term used to describe many types of organizations that provide healthcare services
[JCAHO]
3.48
healthcare entity
individuals, organizations or business units, including: a) subjects of care (patients, health plan members); b)
those involved in the direct or indirect provision of healthcare services to an individual or to a population;
and/or c) those accountable for actions related to, and/or ascribed in, the health record
[CEN ENV 1613:1995, modified]
3.49
healthcare professional
© ISO 2004 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/TR 21089:2004(E)
person that is authorized by a nationally recognized body to be qualified to perform certain health services
individual who is entrusted with the direct or indirect provision of defined healthcare services to an individual
subject of care or to populations
[CEN ENV 1613: 1995]
NOTE 1 The types of registering or accrediting bodies differ in different countries and for different professions. Nationally
recognized bodies include local or regional governmental agencies, independent professional associations and other
formally and nationally recognized organizations. They may be exclusive or non-exclusive in their territory.
NOTE 2 Examples of health professionals are physicians, registered nurses and pharmacists.
3.50
healthcare provider
healthcare organization or healthcare professional responsible for the provision of healthcare to a subject of
care or to a population
[CEN 13940:2000]
3.51
health plan
individual or group plan that provides, or pays the cost of, medical care
[HIPAA]
3.52
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding
authenticator
[CEN ENV 13608-1]
3.53
indelible
indelibility
impossible to remove or erase, permanent
3.54
indicator (of performance)
measure used to determine over time, (an organization's) performance of functions, processes and
outcomes
[JCAHO]
3.55
individually identifiable health information
any information, including demographic information collected from an individual, that a) is created or
received by a healthcare provider, health plan employer, or healthcare clearing-house; and b) relates to the
past, present or future physical or mental health or condition of an individual, the provision of healthcare to
an individual, or the past, present, or future payment for the provision of healthcare to an individua
...