本文件定义了医疗保健从业人员或组织收集、使用和/或披露个人信息的一套同意框架，这些人员或组织通常用于获得处理受护理者个人健康信息的协议。这是为了提供一个信息同意框架，该框架可由各个政策领域（例如医疗保健组织、区域卫生当局、司法管辖区、国家）指定和使用，以帮助在医疗保健服务提供过程中对信息进行一致管理，并跨组织和司法管辖区交流电子健康记录边界。 本文件适用于个人健康信息（PHI）。 每个信息同意框架都规定了良好实践要求。 遵守这些要求旨在确保护理对象和处理个人健康信息的任何一方已正确获得并正确指定其同意。 本文件旨在告知: —？讨论国家或司法信息同意政策； —？向个人和公众通报在提供卫生服务和卫生系统的组织内如何处理个人健康信息的方式； —？在寻求信息同意时，如何判断所提供信息的充分性； —？设计纸质和电子信息同意声明表； —？设计电子隐私政策服务和安全服务中规范个人健康数据访问的部分； —？获得或遵守个人健康信息处理同意的组织和人员的工作实践。 该文件不: —？解决同意提供医疗保健相关治疗和护理的问题。同意提供护理或治疗有其特定的要求，与信息同意不同。 —？说明什么样的同意框架适用于数据分类或数据用途，因为这可能根据法律或政策而有所不同，尽管附件B中提供了实施概况的示例； —？指定传达同意状态时使用的数据格式。重点是同意的信息特征，而不是体现这些特征的技术或媒介； —？规定给予知情同意的个人如何获知与给予同意相关的责任、义务和后果； —？规定如何向个人告知有关数据、数据共享或数据处理的细节的要求； —？指定如何记录同意本身或同意过程的特定活动的要求。ISO/TS中给出了EHR系统中记录同意的具体要求14441:2013, 5.3.2; —？指定任何信息安全要求，例如使用加密或特定形式的用户身份验证（参见ISO？27799）。

This document defines the set of frameworks of consent for the collection, use and/or disclosure of personal information by healthcare practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an informational consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of healthcare services and the communication of electronic health records across organizational and jurisdictional boundaries. This document is applicable to Personal Health Information (PHI). Good practice requirements are specified for each framework of informational consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified. The document is intended to be used to inform: —？discussion of national or jurisdictional informational consent policies; —？ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems; —？how to judge the adequacy of the information provided when seeking informational consent; —？design of both paper and electronic informational consent declaration forms; —？design of those portions of electronic privacy policy services and security services that regulate access to personal health data; —？working practices of organizations and personnel who obtain or comply with consent for processing personal health information. The document does not: —？address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from informational consent. —？specify what consent framework is applicable to a data classification or data purpose as this can vary according to law or policy, although an examples of implementation profile is provided in Annex B; —？specify the data format used when consent status is communicated. The focus is on the information characteristics of consent, and not the technology or medium in which the characteristics are instantiated; —？specify how individuals giving Informed Consent come to be informed of the responsibilities, obligations and consequences related to granting consent; —？specify requirements on how individuals are informed of the specifics of the data, data sharing or data processing concerned; —？specify requirements on how consent itself or the specific activities of the consent process are recorded. Specific requirements on recording consent in EHR systems are given in ISO/TS？14441:2013, 5.3.2; —？specify any information security requirements, e.g. the use of encryption or specific forms of user authentication (see e.g. ISO？27799).