ISO/TS 21547 discusses the security requirements for archiving of electronic health records in any format for the long term. This standard specification discusses the document management and privacy protection, rather than specific messages and protocols, and applies the same care for the management of Electronic Health Records (HERs) as in the paper form. Document management is intended as the practise to archive documents, which can be implemented as a separate independent archive or a federated one. HERs management includes maintenance, retention, disclosure and destruction. The standard also focuses on security requirements (integrity, confidentiality, availability and accountability) and privacy requirements to protect the patient records for their long-term digital preservation in digital archives.
ISO/TR 21548 complementary Technical Report provides additional guidance for implementation of requirements defined in ISO/TS 21547. It discusses practical methods and tools for the development and management of digital archives that satisfy the security requirements.
ISO 22600 standard defines principles and specifies services needed for managing privileges and access control to data distributed across policy domain boundaries. It proposes a template for policy agreement for the different stakeholders of the healthcare information system, including patients and staff members, and defines how the communication should be managed. The policy agreement must include all the differences in the security systems of the stakeholders in different domain boundaries and the agreed solutions on how to overcome the differences.
ISO 22857 provides guidance on data protection requirements to facilitate the transfer of personal health data across national or jurisdictional borders. The standard does not require the harmonisation of the national legislations in terms of data protection and national guidelines to prevent threats to the privacy of the individual, i.e. ensure that medical data of a patient is adequately protected when transmitted and processed by another organisation. The goal is to ensure compliance to security policy principles of an organisation in the trans-national transfer of personal data.
ISO/TS 25237 contains principles and requirements for privacy protection using pseudonymization of health records. The specification defines organisational and technical aspects for pseudonymization (reversible and irreversible) and gives a guide to risk assessment in case of re-identification. Furthermore, it specifies a policy framework and minimal requirements for pseudonymization.
ISO 27799 provides guidance for the application and implementation of ISO/IEC 2700 for the health sector. The target is organisations holding or processing personal health information and the standard describes how these organisations should protect the information and maintain the confidentiality, integrity and availability of personal health information.
Health Level Seven International (HL7) defines a set of international standards for the exchange, integration, sharing and retrieval of clinical and administrative health information between information systems used by various healthcare providers.
The HL7 Health Level Seven Version 3 (V3) standard focuses on interoperability of the health and medical transactions. It specifies how the information should be presented in a clinical context to ensure that the two parties of a transaction share the semantics of the data exchanged. The messaging standard defines a set of interactions, i.e. XML-based messages, to support all healthcare workflow. The Reference Information Model (ISO/HL7 21731) expresses the data content needed in a specific clinical or administrative context. The HL7 Development Framework (ISO/HL7 27931) specifies messaging, processes, tools, actors, rules, and artefacts relevant to development of all HL7 standard specifications for the development of an interoperable healthcare framework.