TM_E_1988_
_98
Designation:E 1988 98An American National StandardStandard Guide forTraining of Persons who have Access to Health Information1This standard is issued under the fixed designation E 1988;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon(e)indicates an editorial change since the last revision or reapproval.1.Scope1.1 This guide addresses the privacy,confidentiality,andsecurity training of employees,agents and contractors whohave access to health information.This access shall be autho-rized and required to meet job responsibilities.Training isessential to developing an understanding about,and sensitivityfor,individually identifiable health information.Anyone in asetting that collects,maintains,transmits,stores or uses healthinformation,or provides health services,or a combinationthereof,shall provide privacy,confidentiality,and securityawareness training to all staff and business partners.Trainingshall be based on job responsibilities.1.2 This guide applies to all individuals,groups,organiza-tions,data-users,data-managers,and public and private firms,companies,agencies,departments,bureaus,service-providersand similar entities that collect individual,group and organi-zational data related to health care.Any organization whichhandles or stores individually identifiable health informationhas the obligation to educate eemployees,agents,contractors,and volunteers and others with whom they have businessrelationships regarding the privacy,confidentiality,and secu-rity principles and policies and procedures of the organization.1.3 ASTM Committee E-31 gratefully acknowledges thecontribution of the Computer-Based Patient Record Institute(CPRI)in providing the document,Guidelines for InformationSecurity Education Programs at Organizations UsingComputer-based Patient Records,to serve as the basis of thisguide.2.Referenced Documents2.1 ASTM Standards:E 1869 Guide for Confidentiality,Privacy,Access and DataSecurity Principles for Health Information Including Com-puter Based Patient Records22.2CPRI Guidelines:Guidelines for Information Security Education Programs atOrganizations Using Computer-based Patient RecordsJune,199533.Terminology3.1 Definitions:3.1.1 access,nThe provision of an opportunity to ap-proach,inspect,review,retrieve,store,communicate with,ormake use of health information system resources(for example,hardware,software,systems,or structure)or patient identifi-able data and information,or both.E 18693.1.2 confidential,adjstatus accorded to data or informa-tion indicating that it is sensitive for some reason,and thereforeit needs to be protected against theft,disclosure,or improperuse,or both,and must be disseminated only to authorizedindividuals or organizations with a need to know.E 18693.1.3 disclosure,nto access,release,transfer,or otherwisedivulge health information to any internal or external user orentity other than the individual who is the subject of suchinformation.E 18693.1.4 external disclosure,nto release,transfer,or other-wise divulge confidential health information beyond theboundaries of the provider,healthcare organization or otherentity which collected the data or holds the data for a specifichealth-related purpose.3.1.4.1 Discussionexternal disclosure usually requires theconsent of the individual who is the subject of the information;exceptions to this rule are laws that require reporting for publichealth purposes or emergency treatment situations.3.1.5 health information,nany information,whether oralor recorded in any form or medium(1)that is created orreceived by a health care provider,a health plan,healthresearcher,public health authority,instructor,employer,schoolor university,health information service,or other entity thatcreates,receives,obtains,maintains,uses,or transmits healthinformation;a health oversight agency,a health informationservice organization;or(2)that relates to the past,present,orfuture physical or mental health or condition of an individual,or the past,present,or future payment for the provision ofhealth care to a protected individual;and(3)that identifies theindividual with respect to which there is a reasonable basis tobelieve that the information can be used to identify theindividual.E 18694.Significance and Use4.1 Health information systems should employ generallyaccepted security features;however,these features alone willnot protect the confidentiality of individually identifiable health1This guide is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics and is the direct responsibility of Subcommittee E31.20 on Data andSystem Security for Health Information.Current edition approved Oct.10,1998.Published November 1998.2Annual Book of ASTM Standards,Vol.14.013CPRI,4915 St.Elmo Avenue,Suite 401,Bethesda,MD 20814.1Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West C