STU 3 Ballot

This page is part of the FHIR Specification (v1.6.0: STU 3 Ballot 4). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R4 R3

V3-ConfidentialityClassification.xml

Raw XML (canonical form)

Set of codes used to value Act.Confidentiality and Role.Confidentiality attribute in accordance with the definition for concept domain "Confidentiality".

<ValueSet xmlns="http://hl7.org/fhir">
  <id value="v3-ConfidentialityClassification"/>
  <meta>
    <lastUpdated value="2016-08-11T17:02:54.322+10:00"/>
    <profile value="http://hl7.org/fhir/StructureDefinition/valueset-shareable-definition"/>
  </meta>
  <text>
    <status value="generated"/>
    <div xmlns="http://www.w3.org/1999/xhtml">
      <h2>ConfidentialityClassification</h2>
      <div>
        <p>Set of codes used to value Act.Confidentiality and Role.Confidentiality attribute in accordance
             with the definition for concept domain &quot;Confidentiality&quot;.</p>

      </div>
      <p>This value set includes codes from the following code systems:</p>
      <ul>
        <li>Include these codes as defined in 
          <a href="../../v3/Confidentiality/cs.html">http://hl7.org/fhir/v3/Confidentiality</a>
          <table>
            <tr>
              <td>
                <b>Code</b>
              </td>
              <td>
                <b>Display</b>
              </td>
            </tr>
            <tr>
              <td>U</td>
              <td>unrestricted</td>
              <td>Definition: Privacy metadata indicating that the information is not classified as sensitive.
                <br/>
                        
                           Examples: Includes publicly available information, e.g., business
                   name, phone, email or physical address.
                <br/>
                        
                           Usage Note: This metadata indicates that the receiver has no
                   obligation to consider additional policies when making access control decisions.   Note
                   that in some jurisdictions, personally identifiable information must be protected as confidential,
                   so it would not be appropriate to assign a confidentiality code of &quot;unrestricted&quot;
                    to that information even if it is publicly available.
              </td>
            </tr>
            <tr>
              <td>L</td>
              <td>low</td>
              <td>Definition: Privacy metadata indicating that the information has been de-identified, and
                   there are mitigating circumstances that prevent re-identification, which minimize risk
                   of harm from unauthorized disclosure.  The information requires protection to maintain
                   low sensitivity.
                <br/>
                        
                           Examples: Includes anonymized, pseudonymized, or non-personally
                   identifiable information such as HIPAA limited data sets.
                <br/>
                        
                           Map: No clear map to ISO 13606-4 Sensitivity Level (1) Care
                   Management:   RECORD_COMPONENTs that might need to be accessed by a wide range of administrative
                   staff to manage the subject of care's access to health services.
                <br/>
                        
                           Usage Note: This metadata indicates the receiver may have an
                   obligation to comply with a data use agreement.
              </td>
            </tr>
            <tr>
              <td>M</td>
              <td>moderate</td>
              <td>Definition: Privacy metadata indicating moderately sensitive information, which presents
                   moderate risk of harm if disclosed without authorization.
                <br/>
                        
                           Examples: Includes allergies of non-sensitive nature used inform
                   food service; health information a patient authorizes to be used for marketing, released
                   to a bank for a health credit card or savings account; or information in personal health
                   record systems that are not governed under health privacy laws.
                <br/>
                        
                           Map: Partial Map to ISO 13606-4 Sensitivity Level (2) Clinical
                   Management:  Less sensitive RECORD_COMPONENTs that might need to be accessed by a wider
                   range of personnel not all of whom are actively caring for the patient (e.g. radiology
                   staff).
                <br/>
                        
                           Usage Note: This metadata indicates that the receiver may be
                   obligated to comply with the receiver's terms of use or privacy policies.
              </td>
            </tr>
            <tr>
              <td>N</td>
              <td>normal</td>
              <td>Definition: Privacy metadata indicating that the information is typical, non-stigmatizing
                   health information, which presents typical risk of harm if disclosed without authorization.
                <br/>
                        
                           Examples: In the US, this includes what HIPAA identifies as
                   the minimum necessary protected health information (PHI) given a covered purpose of use
                   (treatment, payment, or operations).  Includes typical, non-stigmatizing health information
                   disclosed in an application for health, workers compensation, disability, or life insurance.
                <br/>
                        
                           Map: Partial Map to ISO 13606-4 Sensitivity Level (3) Clinical
                   Care:   Default for normal clinical care access (i.e. most clinical staff directly caring
                   for the patient should be able to access nearly all of the EHR).   Maps to normal confidentiality
                   for treatment information but not to ancillary care, payment and operations.
                <br/>
                        
                           Usage Note: This metadata indicates that the receiver may be
                   obligated to comply with applicable jurisdictional privacy law or disclosure authorization.
              </td>
            </tr>
            <tr>
              <td>R</td>
              <td>restricted</td>
              <td>Privacy metadata indicating highly sensitive, potentially stigmatizing information, which
                   presents a high risk to the information subject if disclosed without authorization. May
                   be pre-empted by jurisdictional law, e.g., for public health reporting or emergency treatment.
                <br/>
                        
                           Examples: Includes information that is additionally protected
                   such as sensitive conditions mental health, HIV, substance abuse, domestic violence, child
                   abuse, genetic disease, and reproductive health; or sensitive demographic information
                   such as a patient's standing as an employee or a celebrity. May be used to indicate proprietary
                   or classified information that is not related to an individual, e.g., secret ingredients
                   in a therapeutic substance; or the name of a manufacturer.
                <br/>
                        
                           Map: Partial Map to ISO 13606-4 Sensitivity Level (3) Clinical
                   Care: Default for normal clinical care access (i.e. most clinical staff directly caring
                   for the patient should be able to access nearly all of the EHR). Maps to normal confidentiality
                   for treatment information but not to ancillary care, payment and operations..
                <br/>
                        
                           Usage Note: This metadata indicates that the receiver may be
                   obligated to comply with applicable, prevailing (default) jurisdictional privacy law or
                   disclosure authorization..
              </td>
            </tr>
            <tr>
              <td>V</td>
              <td>very restricted</td>
              <td>. Privacy metadata indicating that the information is extremely sensitive and likely stigmatizing
                   health information that presents a very high risk if disclosed without authorization.
                    This information must be kept in the highest confidence.  
                <br/>
                        
                           Examples:  Includes information about a victim of abuse, patient
                   requested information sensitivity, and taboo subjects relating to health status that must
                   be discussed with the patient by an attending provider before sharing with the patient.
                    May also include information held under “legal lock� or attorney-client privilege
                <br/>
                        
                           Map:  This metadata indicates that the receiver may not disclose
                   this information except as directed by the information custodian, who may be the information
                   subject.
                <br/>
                        
                           Usage Note:  This metadata indicates that the receiver may
                   not disclose this information except as directed by the information custodian, who may
                   be the information subject.
              </td>
            </tr>
          </table>
        </li>
      </ul>
    </div>
  </text>
  <url value="http://hl7.org/fhir/ValueSet/v3-ConfidentialityClassification"/>
  <identifier>
    <system value="urn:ietf:rfc:3986"/>
    <value value="urn:oid:2.16.840.1.113883.1.11.10228"/>
  </identifier>
  <version value="2014-03-26"/>
  <name value="ConfidentialityClassification"/>
  <status value="active"/>
  <experimental value="false"/>
  <publisher value="HL7 v3"/>
  <contact>
    <telecom>
      <system value="other"/>
      <value value="http://www.hl7.org"/>
    </telecom>
  </contact>
  <description value=" Set of codes used to value Act.Confidentiality and Role.Confidentiality attribute in
     accordance with the definition for concept domain &quot;Confidentiality&quot;."/>
  <compose>
    <include>
      <system value="http://hl7.org/fhir/v3/Confidentiality"/>
      <concept>
        <code value="U"/>
      </concept>
      <concept>
        <code value="L"/>
      </concept>
      <concept>
        <code value="M"/>
      </concept>
      <concept>
        <code value="N"/>
      </concept>
      <concept>
        <code value="R"/>
      </concept>
      <concept>
        <code value="V"/>
      </concept>
    </include>
  </compose>
</ValueSet>

Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.