Saudi Health Information Exchange Policies

Policy # 1 - Saudi Health Information Exchange Definitions

Term Definition
Access Control A means of ensuring that the resources of a data processing system can be accessed only by authorized entities in authorized ways. [ISO/IEC 2382-8]
Accountability Property ensures that the actions of an entity may be traced to that entity. [ISO 7498-2]
Anonymization Process that removes the association between the identifying data set and the data subject. [ISO/TS 25237]
Assurance In the context of NIST SP 800-63, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. [NIST 800-63-1]
Audit Systematic and independent examination of accesses, additions, or alterations to electronic health records to determine whether the activities were conducted, and the data were collected, used, retained or disclosed according to organizational standard operating procedures, policies, good clinical practice, and applicable regulatory requirement(s). [ISO 27789]
Audit Log Chronological sequence of audit records, each of which contains data about a specific event. [ISO 27789]
Audit Record Record of a single specific event in the life cycle of an electronic health record. [ISO 27789]
Audit Record Repository (ARR) Receives and stores audit records from sources and consumer of the Saudi eHealth Information Exchange managed health information.
Audit Trail Collection of Audit Records from one or more Audit Logs relating to a specific Subject of Care or a specific electronic health record. [ISO 27789]
Audit Trails and Node Authentication (ATNA) IHE profile that establishes the characteristics of a basic secure node.
Authentication The process of reliable security identification of subjects by incorporating an identifier and its authenticator. [ISO 7498-2]
Authorization The granting of rights, which includes the granting of access based on access rights. [ISO 7498-2]
Availability The property of being accessible and useable upon demand by an authorized entity. [ISO 7498-2]
Breach A Breach is a Reportable Event that, once investigated, is confirmed to have compromise the security or privacy of the Personal Health Information (PHI).
Break-Glass "Break the glass" relates to an “emergency” and “temporary” authorization of a system user and is required to obtain access to information.
Business Associate (BA) A person or entity that performs certain functions or activities for, or provides services to, a Regulated Health Professional or entity involving the use or disclosure of PHI. [Adapted from HIPAA]
Certification Authority (CA) Authority trusted by one or more users to create and assign public-key certificates. [ISO-9594-8].
Collected Obtained and persisted. [ISO/ TS 1462514265]
Confidentiality Property that information is not made available or disclosed to unauthorized individuals, entities, or processes. [ISO 7498-2]
Credential An object that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person. [NIST 800-63-1]
Data Integrity Property that data has not been altered or destroyed in an unauthorized manner. [ISO 7498-2]
[Data subject's] consent Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. [ISO /IS 22857]
Data Use Agreement Comprehensive agreement that governs the exchange of health data between participants in the Saudi Health Information Exchange.
De-identification De-identification is the general term for any process of removing the association between a set of identifying data and the data subject. [ISO /TS -25237]
Emergency Access Access to data for the provision of care where threat of injury or death requires special permissions or override of other controls in order to ensure uninterrupted and urgent treatment. [ISO/ TS -1462514265]
Encryption Cryptographic transformation of data to produce ciphertext [ISO 7498-2]. A ciphertext is data produced through the use of encryption, the semantic content of which is not available without the use of cryptographic techniques. [ISO/IEC 2382-08]
External Privacy and Security Audit Verification by someone outside of the organization that the systems are managed according to specified requirements.
Health Information Exchange Nodes (HIE Nodes) HIE nodes are those systems (Electronic Medical Records, Public Health Information Systems) that are connected to Saudi Health Information Exchange Systems.
Health Information Management Mainly responsible for providing medical records and healthcare information management services. [AHIMA]
Health Record Repository of information regarding the health of a subject of care. [ISO 13606-1] Under this policy, this refers to all personal health information accessible through the Saudi Health Information Exchange.
Healthcare Organization Officially registered organization [under the umbrella of Saudi Council of Health Services] that has a main activity related to healthcare services or health promotion. [ISO/ IS 17090]
HIE Node Authentication Describes authenticating each computer system to the Saudi Health Information Exchange.
Identification Performance of tests to enable a data processing system to recognize entities. [ISO/IEC 2382-8]
Identifier Piece of information used to claim an identity, before a potential corroboration by a corresponding authenticator. [ENV 13608-1]
Internal Privacy and Security Audit Verification by someone inside of the organization (Saudi Health Information Exchange or Saudi Health Information Exchange service providers) to ensure that the systems are managed according to specified requirements.
Non-Regulated Health Professional Person employed by a healthcare organization who is not a regulated health professional.

EXAMPLES: Medical receptionist who organizes appointments or a nurse’s aide who assists with patient care.

NOTE: The fact that a body independent of the employer does not authorize the employee’s professional capacity does not, of course, imply that the employee is not professional in conducting her/his services. [ISO/ IS 17090]
Organization Healthcare organization or a supporting organization.
(Organization) Employee Person employed by a healthcare organization or a supporting organization.

EXAMPLES: Medical records transcriptionists, healthcare insurance claims adjudicator, and pharmaceutical order entry clerks. [ISO /IS 17090]
Organization Roles Organization roles correspond to the hierarchical organization in an [organization] in terms of internal structures. [Neumann/Strembeck]
Participating Healthcare Subscriber (PHCS) Any healthcare institution or healthcare professional that has executed an effective Participation Agreement with the Saudi Health Information Exchange. This may be a Healthcare Organization, a Supporting Organization, or a Regulated Health Professional.
Personal Health Information (PHI) Information about an identifiable person which relates to the physical or mental health of the individual, or to provision of health services to the individual, and which may include: a) information about the registration of the individual for the provision of health services; b) information about payments or eligibility for healthcare with respect to the individual; c) a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; d) any information about the individual collected in the course of the provision of health services to the individual; e) information derived from the testing or examination of a body part or bodily substance; f) identification of a person (e.g., a health professional) as provider of healthcare to the individual. [ISO 27799]
Privacy Freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual. [ISO/IEC 2382-8]. In the context of the Saudi HIE, it refers to an individual's interest in limiting who has access to personal healthcare information. [HIPAA]
Privacy and Security Audit Audit focused on assuring conformance to privacy and security practices and procedures.
Pseudonymization Pseudonymization is a process by which identifying information of a data subject is removed while retaining a link between multiple records pertaining to the data subject. [ISO/ TS 25237]
Pseudonymization, irreversible The process of Pseudonymization is said to be irreversible if, for any passage from identifiable to pseudonymous, it is computationally infeasible to trace back to the original identifier from the pseudonym [ISO /TS 25237]
Registration Authority (RA) Entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e. an RA is delegated certain tasks on behalf of a CA). [IETF/RFC 3647]
Regulated Health Professional Person who is authorized by a nationally recognized body [SCFHS, Saudi Commission for Health Specialties] and qualified to perform certain health services.

EXAMPLES: Physicians, registered nurses, and pharmacists [e.g. Saudi-licensed practitioners]

NOTE 1: The types of registering or accrediting bodies differ in different countries and for different professions. Nationally recognized bodies include local or regional governmental agencies, independent professional associations, and other formally and nationally recognized organizations. They MAY be exclusive or non-exclusive in their territory.

NOTE 2: A nationally recognized body in this definition does not imply one nationally controlled system of professional registration but, in order to facilitate international communication, it would be preferable for one nationwide directory of recognized health professional registration bodies to exist. [ISO 17090]
Remote Access Access to the Saudi Health Information Exchange from a device connected to a HIE node and situated outside of the physical and environmental control of the corresponding PHCS. This would typically include access to a HIE node from a remote location such as from home.
Reportable Event A Reportable Event is an action (or lack of action), suspected or confirmed, that violates Saudi Health Information Exchange policies and procedures for accessing or using PHI managed by the Saudi Health Information Exchange. Such violations may be unintentional or intentional.
Role Set of competences and/or performances that are associated with a task. [ISO/ TS 21298]
Saudi Health Information Exchange (SeHe) The Saudi organization known as SeHe that delivers capabilities to enable the electronic sharing of health-related information and health-related services across the country of Saudi Arabia.
Saudi Health Information Exchange Infrastructure Service Provider An entity operating and managing the core services supporting the Saudi Health Information Exchange systems (e.g. Provider Registry, Client Registry, Clinical Data Repository, etc.)
Saudi Health Information Exchange Systems All hardware and software components providing the infrastructure to enable the Saudi Health Information Exchange. HIE nodes are not components of the Saudi Health Information Exchange Systems.
Secondary use of personal data (Repurposing data) Secondary use of personal data is any use different from primary use [ISO/ TS 25237]

NOTE: For example, the primary use is for treating the individual patient; we can consider that the secondary use is for purposes other than treating the individual patient, such as for research or marketing.
Security Combination of availability, confidentiality, integrity, and accountability. [ENV 13608-1]
Sensitive PHI PHI Subject to heightened confidentiality requirements (at least including but not limited to mental health, substance abuse, genetic information, sexually transmitted disease, reproductive health).
Sensitivity Measure of importance assigned to information to denote its need for protection. [ISO 13606-4]
Shall Whenever occurs in this policy, SHALL means the action must be taken.
Should Whenever occurs in this policy, SHOULD means it is a recommendation that an action ought to be done, but it is not required.
Special Notice / Notice of privacy practice Notice given to patients by a Participating Healthcare Subscriber explaining the Saudi Health Information Exchange and the patient’s rights regarding disclosure of PHI from the Saudi Health Information Exchange.
Sponsored Healthcare Provider Health services provider who is not a regulated professional in the jurisdiction of his/her practice, but who is active in his/her healthcare community and sponsored by a regulated healthcare organization. [ISO /IS 17090]

NOTE: in Saudi Arabia, this may be, for instance, a Healthcare Provider that is licensed in another country and contracted as a temporary provider by a Saudi Hospital
Subject of Care Person who receives health related services and has health information contained within the Saudi Health Information Exchange; any person who uses or is a potential user of a healthcare service; subjects of care may also be referred to as patients, healthcare consumers or Subject of Cares [ISO/ TS 22220]
Subscriber A party who receives a credential or token from a certification service provider. [NIST 800-63-1]
Supporting Organization Officially registered organization which is providing services to a healthcare organization, but which is not providing healthcare services.

EXAMPLES: Healthcare financing bodies such as insurance institutions, suppliers of pharmaceuticals and other goods. [ISO /IS 17090]
Trusted Third Party Third party who is considered trusted for purposes of a security protocol.
3 2
You have to Login here to give your feedback about the policies
Last Update : 10 April 2014 05:50 PM
Reading times :