iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/TR 18638:2017

(Main)

Health informatics — Guidance on health information privacy education in healthcare organizations

Health informatics — Guidance on health information privacy education in healthcare organizations

ISO/TR 18638:2017 specifies the essential educational components recommended to establish and deliver a privacy education program to support information privacy protection in healthcare organizations. The primary users of this document are those responsible for planning, establishing and delivering healthcare information privacy education to a healthcare organization. ISO/TR 18638:2017 provides the components of privacy education within the context of roles and job responsibilities. It is the responsibility of the organization to define and apply privacy protection policies and procedures and, in turn, ensure that all staff in the healthcare organization understands their privacy protection responsibilities. The scope of ISO/TR 18638:2017 covers: a) the concept of information privacy in healthcare; b) the challenges of protecting information practices in the healthcare organization; c) the components of a healthcare information privacy education program; d) basic health information privacy educational content.

Informatique de santé — Composantes éducatives destinées à garantir la confidentialité des informations relatives à la santé

General Information

Status
Published
Publication Date
31-May-2017
ICS
35.240.80 - IT applications in health care technology
Technical Committee
ISO/TC 215 - Health informatics
Drafting Committee
ISO/TC 215/WG 4 - Security, Safety and Privacy
Current Stage
6060 - International Standard published
Start Date
01-Jun-2017
Due Date
03-Jan-2017
Completion Date
03-Jan-2017
Ref Project

Relations

Consolidated By
ISO 16484-5:2017 - Building automation and control systems (BACS) — Part 5: Data communication protocol
Effective Date
06-Jun-2022
ISO/TR 18638:2017 - Health informatics -- Guidance on health information privacy education in healthcare organizationsISO/TR 18638:2017 - Health informatics -- Guidance on health information privacy education in healthcare organizations
PreviousNext
Technical report
ISO/TR 18638:2017 - Health informatics -- Guidance on health information privacy education in healthcare organizations
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


TECHNICAL ISO/TR
REPORT 18638
First edition
2017-06
Health informatics — Guidance on
health information privacy education
in healthcare organizations
Informatique de santé — Composantes éducatives destinées à
garantir la confidentialité des informations relatives à la santé
Reference number
©
ISO 2017
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 7
5 Understanding information privacy in healthcare . 7
5.1 General concept . 7
5.2 Information privacy in healthcare. 8
5.2.1 Personal health information and privacy . 8
5.2.2 Patient’s rights on personal health information privacy . . 8
5.3 Privacy concerns . 9
5.4 Organization’s privacy protection program . 9
5.4.1 Policies and practices to protect health information . 9
5.4.2 Roles of workforce in protecting information privacy .10
5.4.3 Workforce education in protecting health information privacy .11
5.4.4 Patient’s education in protecting information privacy .11
6 Information privacy education in healthcare .11
6.1 General concepts .11
6.2 Target audience of the privacy education .12
6.3 Competencies, educational objectives and content.12
7 Examples of content modules .16
7.1 General .16
7.2 Introduction to information privacy, confidentiality and security in healthcare .16
7.3 International guidelines and principles for information privacy protection .16
7.4 National legislation, regulation and policies for information privacy protection .16
7.5 Patient’s rights on personal health information .17
7.6 Administrative policies for privacy protection .17
7.7 Technical and physical safeguards for protecting healthcare information privacy .18
8 Instructional methods, delivery mechanisms and evaluation .19
8.1 Instructors .19
8.2 Instructional methods and delivery mechanisms .19
8.3 Delivering training .19
8.3.1 Orientation and on-boarding training .19
8.3.2 Continuing education . .20
8.3.3 Education of patients .20
8.4 Evaluation methods .20
Annex A (informative) ISO/TC215 Health informatics: List of standards on privacy protection .21
e
Annex B (informative) Setting learning objectives (example) (Source: Triag Training
Group, HIPAA training playbook) .22
Annex C (informative) Level of Learning Objectives by Audience (Provided by South Korea) .24
Annex D (informative) Educational methods (examples) .26
Annex E (informative) Questions for quiz for privacy education (example) (Provided by
South Korea) .27
Bibliography .32
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
iv © ISO 2017 – All rights reserved

Introduction
Health information privacy concerns need to be addressed with the expanding adoption of health
information technology (HIT) including the use of electronic health record (EHR) systems. Both the
increasingly legislated environment around privacy and the increasing need for information sharing
between patients, providers, payers, researchers and administrators contribute to the growing need
for information privacy education in the healthcare sector. In spite of increasing awareness of and
sensitivity to patient privacy, there are no guidelines or standardization for education on privacy of the
healthcare information within healthcare organizations.
The purpose of this document is to describe the essential educational components recommended
to ensure health information privacy in a healthcare organization. This document describes the
concepts of health information privacy, the components of a privacy education program for healthcare
organizations and basic health information privacy educational content that can be applied to various
jurisdictions.
This document provides guidance for healthcare organizations for establishing and improving the
health information privacy education for their workforce.
Annex A provides the list of standards published by ISO/TC 215 that may be used to develop privacy
education in healthcare organizations as they convey specific content and approach health information
privacy protection.
TECHNICAL REPORT ISO/TR 18638:2017(E)
Health informatics — Guidance on health information
privacy education in healthcare organizations
1 Scope
This document specifies the essential educational components recommended to establish and deliver
a privacy education program to support information privacy protection in healthcare organizations.
The primary users of this document are those responsible for planning, establishing and delivering
healthcare information privacy education to a healthcare organization.
This document provides the components of privacy education within the context of roles and job
responsibilities. It is the responsibility of the organization to define and apply privacy protection
policies and procedures and, in turn, ensure that all staff in the healthcare organization understands
their privacy protection responsibilities.
The scope of this document covers:
a) the concept of information privacy in healthcare;
b) the challenges of protecting information practices in the healthcare organization;
c) the components of a healthcare information privacy education program;
d) basic health information privacy educational content.
2 Normative references
There are no normative references for this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
access
ability or means necessary to read, write, modify, or communicate data/information or otherwise make
use of any system resources
[SOURCE: ISO/TR 18307:2001, 3.1]
3.2
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[SOURCE: ISO 17090-1:2013, 3.2.1]
3.3
anonymization
process by which personal identifiable information (PII) (3.21) is irreversibly altered in such a way that
a PII principal (3.22) can no longer be identified directly or indirectly, either by the PII controller (3.23)
alone or in collaboration with any other party
Note 1 to entry: See pseudonymization (3.33).
[SOURCE: ISO/IEC 27038:2014, 2.1, modified]
3.4
asset
anything that has value to the organization
Note 1 to entry: There are many types of assets, including:
a) information;
b) software, such as a computer program;
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 27269:2025(Main)
Health informatics — International patient summary

This document defines the core data set for a concise international patient summary (IPS), which supports continuity of care for a person and assists with coordination of their care. This document provides an abstract definition of a patient summary from which derived models are implementable. This document does not cover the workflow processes of data entry, data collection, data summarization, subsequent data presentation, assimilation, or aggregation. Furthermore, this document does not cover the summarization act itself, i.e. the intelligence, skills and competences, that results in the data summarization workflow. It is not an implementation guide that is concerned with the various technical layers beneath the application layer. Representation by various coding schemes, additional structures and terminologies are not part of this document.

  • Standard
    76 pages
    English language
    sale 15% off
  • Standard
    83 pages
    French language
    sale 15% off
  • Draft
    76 pages
    English language
    sale 15% off
  • Draft
    76 pages
    English language
    sale 15% off
  • Draft
    84 pages
    French language
    sale 15% off
ISO
ISO 17523:2025(Main)
Health informatics — Requirements for electronic prescriptions

The scope of this document is constrained to the content of the electronic prescription (ePrescription) itself, the digital document which is issued by a prescribing healthcare professional and received by a dispensing healthcare professional. The prescribed medicinal product is to be dispensed through an authorized healthcare professional with the aim of being administered to a human patient. The ePrescription in the administrative workflow of reimbursement is not covered in this document. This document specifies the requirements that apply to ePrescriptions. It describes generic principles that are considered important for all ePrescriptions. This document is applicable to ePrescriptions of medicinal products for human use. Although other kinds of products (e.g. medical devices, wound care products) can be ordered by means of an ePrescription, the requirements in this document are aimed at medicinal products that have a market authorization and at pharmaceutical preparations which are compounded in a pharmacy. This document does not limit the scope to any setting (community, institutional) and leaves it to the national bodies to decide on this matter. This document specifies a list of data elements that can be considered as essential for ePrescriptions, depending on jurisdiction or clinical setting (primary healthcare, hospital, etc.). Ensuring the authenticity of these data elements is in scope and will have impact on the requirements of information systems. Other messages, roles and scenarios (e.g. validation of a prescription, administration, medication charts, EHR of the patient, reimbursement of care and dispensed products) are not covered in this document, because they are country-specific or region-specific, due to differences in culture and in legislation of healthcare. However, requirements and content of ePrescriptions within the context of jurisdictions have a relationship with these scenarios. This document also does not cover the way in which ePrescriptions are made available or exchanged, and the process of prescribing itself. The logistic process of prescribing itself is not part of the scope. A prescription can either be sent (pushed) to a dispenser or either be retrieved (pulled) at the dispenser. However, the requirement for the prescription is described, that it will be able to function in both environments.

  • Standard
    24 pages
    English language
    sale 15% off
  • Standard
    27 pages
    French language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 15% off
  • Draft
    26 pages
    French language
    sale 15% off
ISO
ISO/TS 5615:2025(Main)
Health informatics — Accelerating safe, effective and secure remote connected care and mobile health through standards-based interoperability solutions addressing gaps revealed by pandemics

This document reviews the structural changes that have been precipitated by the COVID-19 pandemic in Remote Connected Care and Mobile Health (RCC-MH). The impact of the COVID-19 pandemic on care settings such as home and community care, acute care and outpatient care are reviewed discussing how well these healthcare environments were prepared to address the encountered connectivity challenges from a standards point of view. The current standards landscape is reviewed and gaps are identified leading to recommendations for future standards work.

  • Technical specification
    92 pages
    English language
    sale 15% off
  • Draft
    92 pages
    English language
    sale 15% off
  • Draft
    92 pages
    English language
    sale 15% off
ISO
ISO 16843-2:2025(Main)
Health informatics — Categorial structures for representation of acupuncture — Part 2: Needling

This document specifies categorial structures within the subject field of acupuncture needling (specialized for using filiform needles) by defining a set of domain constraints. This document describes a concept system detailing domain constraints of sanctioned characteristics, each composed of a semantic link and an applicable characterizing category.

  • Standard
    8 pages
    English language
    sale 15% off
  • Draft
    8 pages
    English language
    sale 15% off
  • Draft
    8 pages
    English language
    sale 15% off
ISO
ISO/PAS 24305:2025(Main)
Health informatics — Guidelines for implementation of HL7 FHIR based on ISO 13940:2015, ISO 13606-1:2019 and ISO 13606-3:2019

This document provides guidance on how four complementary international standards can be used in combination by developers of health ICT systems and infrastructures. These standards, three published by CEN and ISO and one by HL7, are — ISO 13940:2015, — ISO 13606-1:2019, — ISO 13606-3:2019, and — HL7 Fast Health Interoperability Resources (FHIR) Release 4. This document defines mappings between these standards: between ISO 13940 and HL7 FHIR in both directions, between ISO 13606 and HL7 FHIR in both directions, it proposes the content of an HL7 FHIR profile corresponding to the ISO 13606-1:2019 “COMPOSITION” class. It also provides guidance and worked examples of the mapping between ISO 13606-3 Reference Archetypes corresponding to ISO 13940 and HL7 FHIR. This document also summarizes the extent to which the source concept is broader than or narrower than the best fit target concept. It also highlights mapping issues that adopters will need to be mindful of, where the representation capability of the standards differs.

  • Technical specification
    225 pages
    English language
    sale 15% off
  • Draft
    225 pages
    English language
    sale 15% off
  • Draft
    225 pages
    English language
    sale 15% off
ISO
ISO/TS 6226:2025(Main)
Health informatics — Reference architecture for syndromic surveillance systems for infectious diseases

This document specifies a reference architecture for event-based syndromic surveillance systems for infectious diseases. The system reference architecture addresses architectural components including concepts, data sources, and outputs of syndromic surveillance system. From the perspective of the diagnostic process,[ REF Reference_ref_11 \r \h 11 08D0C9EA79F9BACE118C8200AA004BA90B0200000008000000110000005200650066006500720065006E00630065005F007200650066005F00310031000000 ] this document covers the processes from the symptom-onset stage to the health-behaviour stage, which is prior to the healthcare-encounter stage. Non-infectious health hazards, such as natural disasters, human-induced emergencies and chronic diseases, and their associated surveillance systems are beyond the scope of this document.

  • Technical specification
    11 pages
    English language
    sale 15% off
ISO
ISO 21564:2025(Main)
Health informatics — Terminology resource map quality measures and requirements (MapQual)

This document provides quality requirements for producing a quality map between terminological systems. This document establishes measures which can be used to assess the quality and utility of a map between terminological resources. These measures can be used to determine the types and conformance levels of a map and their impact on common use cases in healthcare.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/TS 6268-2:2025(Main)
Health informatics — Cybersecurity framework for telehealth environments — Part 2: Cybersecurity reference model of telehealth

This document provides a telehealth cybersecurity reference model of the overall security framework for systems and services applied to telehealth. This document contains a general description of: — factors of telehealth cybersecurity threats; — relationships between security risks and safety risks in telehealth services; — methodologies for defining security levels in telehealth services; — a cybersecurity reference model of telehealth services. Defining the specific type of telehealth services is not covered in this document.

  • Technical specification
    12 pages
    English language
    sale 15% off
ISO
ISO/TS 16551:2025(Main)
Health informatics — Reference model for virtual reality (VR)-based clinical practice simulation

This document specifies a reference model for virtual reality (VR)-based clinical practice simulation. This model includes components, relations, data element and types, and roles of the users.

  • Technical specification
    12 pages
    English language
    sale 15% off
ISO
ISO/TS 9166:2025(Main)
Health informatics — Guidelines for self-assessment questionnaire systems

This document provides guidelines for the self-assessment questionnaire systems to be used for health. This document includes the following: — structure and components of the self-assessment questionnaire systems; — guidelines for administering and managing the self-assessment questionnaire systems; — basic data elements for interacting with the self-assessment questionnaire systems. This document does not define the contents of the self-assessment questionnaire specialised in healthcare domains or departments. The questionnaires themselves are out of the scope of this document since they are dependent on the intended purpose of the self-assessment questionnaire systems.

  • Technical specification
    47 pages
    English language
    sale 15% off