This part of ISO/TS 22600 instantiates requirements for repositories for access control policies and requirements for privilege management infrastructures for health informatics. It provides implementation examples of the formal models specified in ISO/TS 22600-2. This part of ISO/TS 22600 is strongly related to other ISO/TC 215 documents, such as ISO 17090, ISO 22857 and ISO/TS 21091. It is also related to ISO/TS 21298. This part of ISO/TS 22600 excludes platform-specific and implementation details. It does not specify technical communication security services, authentication techniques and protocols that have been established in other standards such as, for example, ISO 7498-2, ISO/IEC 10745 (ITU-T X.803), ISO/IEC TR 13594 (ITU-T X.802), ISO/IEC 10181-1 (ITU-T X.810), ISO/IEC 9594-8 Authentication framework (equivalent to ITU-T X.509), ISO/IEC 9796, ISO/IEC 9797 and ISO/IEC 9798. ISO/TS 22600 defines privilege management and access control services required for the communication and use of distributed health information over domain and security borders. ISO/TS 22600 introduces principles and specifies services needed for managing privileges and access control. It specifies the necessary component-based concepts and is intended to support their technical implementation. It does not specify the use of these concepts in particular clinical process pathways nor does it address the safety concerns, if any, associated with their use. While ISO/TS 22600-1 is a narrative introducing the problem of policy bridging in the context of interorganizational communication and cooperation, ISO/TS 22600-2 defines a generic development process for analysing, designing, implementing and semantically deploying health information systems. The security services needed due to legal, social, organizational, user-related, functional and technological requirements have to be embedded in the advanced and sustainable system architecture meeting the paradigms for semantic interoperability.