Health informatics — Trusted end-to-end information flows

ISO/TS 21089:2018 describes trusted end-to-end flow for health information and health data/record management. Health data is originated and retained, typically as discrete record entries within a trusted electronic health record (EHR), personal health record (PHR) or other system/device. Health data can include clinical genomics information. Health record entries have a lifespan (period of time managed by one or more systems) and within that lifespan, various lifecycle events starting with "originate/retain". Subsequent record lifecycle events may include "update", "attest", "disclose", "transmit", "receive", "access/view" and more. A record entry instance is managed ? over its lifespan ? by the source system. If record entry content is exchanged, this instance may also be managed intact by one or more downstream systems. Consistent, trusted management of record entry instances is the objective of this document, continuously and consistently whether the instance is at rest or in motion, before/during/after each lifecycle event, across one or more systems.

Informatique de santé — Flux d'informations "trusted end-to-end"

General Information

Status
Published
Publication Date
08-Apr-2018
Current Stage
9093 - International Standard confirmed
Completion Date
16-Feb-2022
Ref Project

Relations

Buy Standard

Technical specification
ISO/TS 21089:2018 - Health informatics -- Trusted end-to-end information flows
English language
85 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/TS
SPECIFICATION 21089
First edition
2018-04
Health informatics — Trusted end-to-
end information flows
Informatique de santé — Flux d'informations "trusted end-to-end"
Reference number
ISO/TS 21089:2018(E)
©
ISO 2018

---------------------- Page: 1 ----------------------
ISO/TS 21089:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 21089:2018(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms .25
5 Truth, trust, end-to-end information flows and foundations of interoperability.27
6 Trust characteristics in end-to-end information flow .28
7 The trust constituency .29
8 Principles and objectives .32
8.1 Ensured trust .32
8.2 Trust constituency .32
8.3 Health record rights .33
8.4 Health record obligations .33
8.5 Health record composition .34
8.6 Human and business agents and their accountable actions .34
8.7 Software and device agents and their accountable actions.34
8.8 Scope of accountability .34
8.9 Provenance .35
8.10 Authentication .35
8.11 Auditability .36
8.12 Chain of trust .36
8.13 Faithfulness, permanence, persistence and indelibility .36
8.14 Data definition, data registry .36
8.15 Data integrity .36
8.16 Completeness .36
9 Downstream/upstream information flow perspectives .37
9.1 Downstream information flow perspective — Subject of care .37
9.2 Downstream information flow perspective — Accountable agent(s) for health
record content .38
9.3 Upstream perspective — Accountable agent(s) for health record access/view .39
10 Agents, actions and corresponding persistent record entries .39
10.1 Agent takes action .39
10.2 Agent documents action taken .40
10.3 Agent stewards the record entry .40
11 Key contexts for action instances and record entry instances .41
11.1 Identity Context .41
11.2 Accountability Context .41
11.3 Data Integrity Context.41
11.4 Clinical Context .41
11.5 Administrative/operational context.42
12 Roles and relationships (examples) .42
12.1 Subject of care and provider relationships .42
12.2 Health services .42
12.3 Health record relationships .42
12.4 Individuals, organizations and business unit relationships .43
12.5 Inter-healthcare professional relationships .43
13 Record lifecycle events and CRUD (create, read, update, delete) .44
© ISO 2018 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TS 21089:2018(E)

14 Key lifecycle events in trusted end-to-end information flows .46
15 Record lifecycle events and action instances .47
15.1 Initial instance .47
15.1.1 Initial action instance .47
15.1.2 Record lifecycle event — Originate/retain record entry instance(s) .48
15.2 Subsequent instance .50
15.2.1 Subsequent action instance .50
15.2.2 Record lifecycle event — Amend (update) record entry instance(s) .50
15.3 Record lifecycle event — Transform/translate .51
15.4 Record lifecycle event — Attest .52
15.5 Record lifecycle event — Access/view .53
15.6 Record lifecycle event — Report (output).54
15.7 Record lifecycle event — Disclose .54
15.8 Record lifecycle event — Transmit .54
15.9 Record lifecycle event — Receive/retain .56
15.10 Record lifecycle event — De-identify (anonymize) .57
15.11 Record lifecycle event — Pseudonymize .58
15.12 Record lifecycle event — Re-identify .60
15.13 Record lifecycle event — Extract .61
15.14 Record lifecycle event — Archive .62
15.15 Record lifecycle event — Restore (from archive) .63
15.16 Record lifecycle event — Destroy/delete.64
15.17 Record lifecycle event — Deprecate .65
15.18 Record lifecycle event — Reactivate (from delete or deprecate) .66
15.19 Record lifecycle event — Merge .67
15.20 Record lifecycle event — Unmerge .68
15.21 Record lifecycle event — Link .69
15.22 Record lifecycle event — Unlink .69
15.23 Record lifecycle event — Add legal hold .70
15.24 Record lifecycle event — Remove legal hold .71
15.25 Record lifecycle event — Verify .72
15.26 Record lifecycle event — Encrypt .73
15.27 Record lifecycle event — Decrypt .74
Annex A (informative) HL7 Fast Health Interoperable Resources (FHIR) .76
Annex B (informative) Lifecycle metadata captured in FHIR resources .78
Annex C (informative) Sample lifecycle event sequence with FHIR resources .82
Annex D (informative) Lifecycle Event Sequence — Point of Origination to Point of Access
(Example) .84
Bibliography .85
iv © ISO 2018 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 21089:2018(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
This first edition of ISO/TS 21089 cancels and replaces ISO/TR 21089:2004, which has been technically
revised.
The main changes compared to ISO/TR 21089:2004 are as follows:
— transition from Technical Report (informative) to Technical Specification (normative);
— close alignment with ISO/HL7 10781:2015 and its specified record lifecycle events;
— close alignment with HL7 Fast Health Interoperable Resources (FHIR), Standard for Trial Use, 3rd
Edition (STU-3) (2017), including the FHIR Record Lifecycle Event Implementation Guide (RLE IG)
and two FHIR Resources AuditEvent and Provenance. See http: //www .hl7 .org/FHIR;
— incorporation of twenty-seven (27) record lifecycle events compared to fifteen (15) in the first
edition for more complete representation of end-to-end electronic health record management;
— comprehensive review and update of terms and definitions (Clause 3) to more completely specify
the range of health record lifespan and lifecycle events.
© ISO 2018 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/TS 21089:2018(E)

Introduction
This document describes requirements for health data/record management including identity,
accountability, provenance, authenticity, integrity, confidentiality, stewardship and interoperability
and addresses specific needs of health and healthcare stakeholders, in particular the individual subject
of care, the healthcare professional/caregiver, the healthcare provider organization, its business units
and the broader care community.
The trusted end-to-end information flows described herein offer necessary criteria for standards
developers and implementers of electronic health record and other record management systems,
including standards for data at rest (during retention) and data in motion (during exchange) within the
healthcare domain and provide guidance for software developers and vendors, healthcare providers
and end users.
vi © ISO 2018 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/TS 21089:2018(E)
Health informatics — Trusted end-to-end information flows
1 Scope
This document describes trusted end-to-end flow for health information and health data/record
management. Health data is originated and retained, typically as discrete record entries within a
trusted electronic health record (EHR), personal health record (PHR) or other system/device. Health
data can include clinical genomics information.
Health record entries have a lifespan (period of time managed by one or more systems) and within that
lifespan, various lifecycle events starting with “originate/retain”. Subsequent record lifecycle events
may include “update”, “attest”, “disclose”, “transmit”, “receive”, “access/view” and more.
A record entry instance is managed – over its lifespan – by the source system. If record entry content is
exchanged, this instance may also be managed intact by one or more downstream systems. Consistent,
trusted management of record entry instances is the objective of this document, continuously and
consistently whether the instance is at rest or in motion, before/during/after each lifecycle event,
across one or more systems.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at https: //www .electropedia .org/
3.1
access, verb
obtain, open, inspect, review and/or make use of health data or information
Note 1 to entry: Access/View Record Lifecycle Event - occurs when an agent causes the system to obtain and
open a record entry for inspection or review.
Note 2 to entry: See view (3.156).
[SOURCE: CPRI, modified]
3.2
access control
means of ensuring that the resources of an electronic system can be accessed only by authorized
entities in authorized ways
Note 1 to entry: Alternatively, prevention of an unauthorized use of a resource, including the prevention of use of
a resource in an unauthorized manner.
[SOURCE: ISO/IEC 2382-8:1998, modified]
© ISO 2018 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/TS 21089:2018(E)

3.3.1
accountability
obligation of an individual or organization to account for its activities, for completion of a deliverable
or task, accept responsibility for those activities, deliverables or tasks, and to disclose the results in a
transparent manner
3.3.2
accountability
property that ensures that the actions of an entity can be traced uniquely to
the entity
[SOURCE: ISO 7498-2:1998, 3.3.3, modified]
3.4
accuracy
extent that recorded data reflect the actual underlying information
3.5
actor
with respect to an action, entity that participates in or observes that action
[SOURCE: ISO/IEC 15414:2015, modified]
3.6.1
agent
entity that takes conscious actions, such as an individual, organization, business unit
3.6.2
agent
entity that has been delegated (e.g. authority, a function) by and acts for another (in
exercising the authority, performing the function)
3.6.3
agent
individual, organization, business unit, medical device (e.g. instrument, monitor) and
software (e.g. application) which a) performs a role in the provision of healthcare services and/or b) is
accountable for actions related to, and/or c) ascribed in, the health record
[SOURCE: CEN 12265:2014, modified]
3.6.4
agent
entity that takes programmed actions, such as software or a device
3.6.5
agent
entity that bears some form of responsibility for an activity taking place, for the existence
of an entity, or for another agent's activity
3.7
aggregation
process to combine standardized data and information
[SOURCE: JCAHO, modified]
3.8.1
algorithm
process or set of rules to be followed in calculations or other problem-
solving operations, especially by a computer
2 © ISO 2018 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/TS 21089:2018(E)

3.8.2
algorithm
series of steps for addressing a specific issue
[SOURCE: JCAHO, modified]
3.9
amend
make changes in record content in order to make it fairer, more accurate, consistent, complete and/or
up-to-date
Note 1 to entry: Amend (Update) Record Lifecycle Event - occurs when an agent makes any change to record
entry content currently residing in storage considered permanent (persistent).
3.10
append
add information as an attachment or supplement to a previous record entry instance or object already
in existence
Note 1 to entry: It may be an attachment or supplement.
[SOURCE: HL7 RBAC, modified]
3.11
anonymize
remove personally identifying particulars or characteristics from record content so that the original
source or data subject cannot be known
Note 1 to entry: Anonymization is a sub-class of de-identification which is irreversible.
3.12
anonymous
anonymized
unnamed or unidentified
Note 1 to entry: It can include an unknown source or subject.
3.13
application
identifiable computer running a software process
Note 1 to entry: In this context, it may be any software process used in healthcare information systems including
those without any direct role in treatment or diagnosis.
Note 2 to entry: In some jurisdictions, software processes can be incorporated in regulated medical devices.
3.14
architecture
set of principles on which the logical structure and interrelationships to an organization and business
context are based
Note 1 to entry: Software architecture is the result of software design activity.
3.15
archive, verb
create, update or move an archive artifact with health record content for long-term, typically offline
storage, external to the source system
Note 1 to entry: Archive Record Lifecycle Event - occurs when an agent causes the system to create and move
archive artifacts containing record entry content, typically to long-term offline storage.
Note 2 to entry: Also, to store data by moving it to long-term storage media and deleting or purging that data
from the original online storage.
© ISO 2018 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/TS 21089:2018(E)

3.16
archival record
item of healthcare data saved for later reference or use, possibly off-line
[SOURCE: COACH, modified]
3.17.1
assurance
grounds for surety, certainty or confidence about something
[SOURCE: ISO/IEC 15408-1:2009, 3.1.4, modified]
3.17.2
assurance
grounds for confidence that an entity meets its claimed level of protection, including
security objectives
[SOURCE: OMG, modified]
3.17.3
assurance
development, documentation, testing, procedural and operational activities carried
out to ensure a system's services do in fact provide the claimed level of function, performance and
usability
[SOURCE: OMG, modified]
3.18.1
attest
declare that record entry content exists, is authentic, accurate and true and
therefore that it can be trusted
3.18.2
attest
declare that record entry content exists and is complete for the purpose intended
3.18.3
attest
provide or serve as clear evidence of and thus certify and record applicable administrative
(or “legal”) responsibility for a particular unit of information
Note 1 to entry: Attest Record Lifecycle Event - occurs when an agent causes the system to capture the agent’s
digital signature (or equivalent indication) during formal validation of record entry content.
3.19
audit, noun
audit control
mechanism employed to record and examine activities of an agent
3.20
audit, noun
independent review and examination of records and activities to assess the adequacy of
system controls, to ensure compliance with established policies and operational procedures, and to
recommend necessary changes in controls, policies or procedures
3.21.1
audit trail
audit log
record of the resources which were accessed and/or used by whom
[SOURCE: ISO 7498-2:1998, modified]
4 © ISO 2018 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/TS 21089:2018(E)

3.21.2
audit trail
documentary evidence of monitoring each operation (of
healthcare parties) on health information
[SOURCE: NRC, modified]
3.21.3
audit trail
chronological record of system activities that is sufficient to
enable the reconstruction, reviewing and examination of the sequence of environments and activities
surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to
final results
[SOURCE: GCST]
3.22
authentic
what it purports to be
Note 1 to entry: Also, genuine and of undisputed origin; bona fide; based on facts, accurate and reliable.
3.23.1
authentication
process proving something is real, true, or genuine
3.23.2
authentication
process of verification of the integrity of data that have been captured, stored or transmitted
[SOURCE: GCST]
3.23.3
authentication
process of corroboration that the source of data received is as claimed
3.23.4
authentica
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.