ASTM_E_1986_-_09_2013.pdf

Designation:E198609(Reapproved 2013)An American National StandardStandard Guide forInformation Access Privileges to Health Information1This standard is issued under the fixed designation E1986;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope*1.1 This guide covers the process of granting and maintain-ing access privileges to health information.It directly ad-dresses the maintenance of confidentiality of personal,provider,and organizational data in the healthcare domain.Itaddresses a wide range of data and data elements not alltraditionally defined as healthcare data,but all elemental in theprovision of data management,data services,and administra-tive and clinical healthcare services.In addition,this guideaddresses specific requirements for granting access privilegesto patient-specific health information during health emergen-cies.1.2 This guide is based on long-term existing and estab-lished professional practices in the management of healthcareadministrative and clinical data.Healthcare data,and specifi-cally healthcare records(also referred to as medical records orpatient records),are generally managed under similar profes-sional practices throughout the United States,essentially re-gardless of specific variations in local,regional,state,andfederal laws regarding rules and requirements for data andrecord management.1.3 Thisguideappliestoallindividuals,groups,organizations,data-users,data-managers,and public and pri-vate firms,companies,agencies,departments,bureaus,service-providers,and similar entities that collect individual,group,and organizational data related to health care.1.4 This guide applies to all collection,use,management,maintenance,disclosure,and access of all individual,group,and organizational data related to health care.1.5 This guide does not attempt to address specific legisla-tive and regulatory issues regarding individual,group,andorganizational rights to protection of privacy.1.6 This guide covers all methods of collection and use ofdata whether paper-based,written,printed,typed,dictated,transcribed,forms-based,photocopied,scanned,facsimile,telefax,magnetic media,image,video,motion picture,stillpicture,film,microfilm,animation,3D,audio,digital media,optical media,synthetic media,or computer-based.1.7 This guide does not directly define explicit disease-specific and evaluation/treatment-specific data control oraccess,or both.As defined under this guide,the confidentialprotection of elemental data elements in relation to which dataelements fall into restrictive or specifically controlledcategories,or both,is set by policies,professional practice,andlaws,legislation and regulations.2.Referenced Documents2.1 ASTM Standards:2E1869 Guide for Confidentiality,Privacy,Access,and DataSecurity Principles for Health Information Including Elec-tronic Health RecordsE2595 Guide for Privilege Management Infrastructure3.Terminology3.1 Definitions:3.1.1 accessthe provision of an opportunity to approach,inspect,review,retrieve,store,communicate with,or make useof health information system resources(for example,hardware,software,systems,or structure)or patient identifiable data andinformation,or both.(E1869)3.1.2 access controlthe prevention of unauthorized use ofa resource,including the prevention of use of a resource in anunauthorized manner.3.1.2.1 DiscussionAccess control counters the threat ofunauthorized access to,disclosure of,or modification of data.(ISO 7498-2)3.1.3 accountabilitythe property that ensures that theactions of an entity can be traced.(ISO 7498-2)3.1.4 audit traildata collected and potentially used tofacilitate a security audit.(ISO 7498-2)3.1.5 authenticationthe corroboration that an entity is theone claimed.(ISO 7498-2)1This guide is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics and is the direct responsibility of Subcommittee E31.25 on HealthcareData Management,Security,Confidentiality,and Privacy.Current edition approved March 1,2013.Published March 2013.Originallyapproved in 1998.Last previous edition approved in 2009 as E1986 09.DOI:10.1520/E1986-09R13.2For referenced ASTM standards,visit the ASTM website,www.astm.org,orcontact ASTM Customer Service at serviceastm.org.For Annual Book of ASTMStandards volume information,refer to the standards Document Summary page onthe ASTM website.*A Summary of Changes section appears at the end of this standardCopyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 19428-2959.United States1 3.1.6 authorizethe granting to a user the right of access tospecified data and information,a program,a terminal,or aprocess.(E1869)3.1.7 authorization(1)The granting of rights,which in-cludes the granting of access based on access rights.(2)Themechanism for