ISO/TS TECHNICAL SPECIFICATION 21547 First edition 2010-02-15 Health informatics Security requirements for archiving of electronic health records Principles Informatique de sante Exigences de sécurite pour I'archivage des dossiers de sante électroniques - Principes Reference number ISO/TS 21547:2010(E) @ ISO 2010 py IHS under lic itted without license from IHS Not for Resale ISO/TS 21547:2010(E) PDFdisclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The IsO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by IsO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below COPYRIGHT PROTECTED DOCUMENT ISO2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, ISsO's member body in the country of the requester. ISO copyright office Case postale 56 : CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ ISO 2010 - All rights reserved T by IHS unde I without license from IHS Not for Resale ISO/TS 21547:2010(E) Contents Page Foreword .iv Introduction 1 Scope 2 Normative references. 3 Terms and definitions . 3.1 General terms 3.2 Security services terms 4 Abbreviated terms.. .8 5 General 9 6 EHR-archive and eArchiving process. 10 6.1 EHR and record 10 6.2 Archiving... 12 6.3 EHR-archive . 6.4 Backup versus EHR-archive 4 6.5 Elements of the EHR-archive . 14 6.6 Types of EHR-archive .. 6.7 Online storage .... 7 6.8 The eArchiving process for EHRs 17 6.9 eArchiving process and records management. .19 7 Environment of the EHR-archive 21 8 Policies and responsibilities 22 8.1 Responsibilities... 22 8.2 Policies. .24 9 Security and privacy protection architecture 25 10 Security and privacy protection requirements for the eArchiving process. 25 10.1 25 10.2 Policies and responsibilities .. 26 10.3 Requirements derived from legislation... 27 10.4 Requirements for availability ... .30 10.5 Requirements for integrity.... 10.6 Requirements for confidentiality . .36 10.7 Requirementfornon-repudiation.. 37 Annex A (informative) Framework for long-term archiving of EHRs in Finland.... .39 Annex B (informative) Framework for digital archiving of health records in the UK.. 45 Annex C (informative) Framework for digital archiving of health records in Japan .. ...53 Annex D (informative) Framework for digital archiving of health records in the USA - Rules and requirements derived from HIPAA. ..56 Annex E (informative) Comparison of Iso 15489-1 and IsO/Ts 21547 security requirements for archiving of electronic health records.. Annex F (normative) Summary of normative requirements. Bibliography CopyrghtInternational OrganizaionSadardizaoghtsreserved ii Not for Resale ISO/TS21547:2010(E) Foreword Iso (the International Organization for Standardization) is a worldwide federation of national standards bodies technicalcommittees.Eachmemberbodyinterestedinasubjectforwhichatechnicalcommitteehasbeer International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/lEc Directives, Part 2 adopted by the technical committees are circulated to the member bodies for voting. Publication a