This document defines the set of frameworks of consent for the collection, use and/or disclosure of personal information by healthcare practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an informational consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of healthcare services and the communication of electronic health records across organizational and jurisdictional boundaries.

This document is applicable to Personal Health Information (PHI).

Good practice requirements are specified for each framework of informational consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified.

The document is intended to be used to inform:

—    discussion of national or jurisdictional informational consent policies;

—    ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems;

—    how to judge the adequacy of the information provided when seeking informational consent;

—    design of both paper and electronic informational consent declaration forms;

—    design of those portions of electronic privacy policy services and security services that regulate access to personal health data;

—    working practices of organizations and personnel who obtain or comply with consent for processing personal health information.

The document does not:

—    address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from informational consent.

—    specify what consent framework is applicable to a data classification or data purpose as this can vary according to law or policy, although an examples of implementation profile is provided in Annex B;

—    specify the data format used when consent status is communicated. The focus is on the information characteristics of consent, and not the technology or medium in which the characteristics are instantiated;

—    specify how individuals giving Informed Consent come to be informed of the responsibilities, obligations and consequences related to granting consent;

—    specify requirements on how individuals are informed of the specifics of the data, data sharing or data processing concerned;

—    specify requirements on how consent itself or the specific activities of the consent process are recorded. Specific requirements on recording consent in EHR systems are given in ISO/TS 14441:2013, 5.3.2;

—    specify any information security requirements, e.g. the use of encryption or specific forms of user authentication (see e.g. ISO 27799).