Da Vinci Prior Authorization Support (PAS) FHIR IG
2.0.1 - STU 2 United States of America flag

This page is part of the Da Vinci Prior Authorization Support (PAS) FHIR IG (v2.0.1: STU 2) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version. For a full list of available versions, see the Directory of published versions

Privacy & Security

Page standards status: Informative

Previous Page - Specification

Privacy & Security Considerations

The profiles in this IG are defined to ensure sufficient information to properly populate the X12 specifications, though they also allow for additional data to be present. As well, the data elements in the X12 specifications are allowed to be omitted - what data is required by the payer to process a prior authorization is context and business-rule-specific. Implementers submitting prior authorization requests using PAS must be aware of (and adhere to) their responsibilities with respect to data sharing imposed by regulations such as HIPAA’s “minimum necessary” rule, patient consent rules, etc. This may involve allowing providers to review information prior to data transmission to the payer. Implementations SHALL permit provider review of data prior to transmission, but SHALL NOT require such review.

The sharing of information from provider to payer for determining prior authorization is subject to HIPAA’s “minimum necessary” regulations (specifically 45 CFR 164.514(d)(3) and (d)(4)). Payers are responsible for ensuring that only information necessary to make the prior authorization decision is solicited and providers are responsible for ensuring that only data that is reasonably relevant to the prior authorization decision is transmitted.

Some of the data shared as part of the prior authorization process may have associated constraints on the use of that information for other purposes, including subsequent disclosure to other payers, practitioners, policy-holders, etc. While HL7 FHIR supports conveying this information via security labels on transmitted resources, this information is not currently mappable (and thus findable) in the X12 275 and 278 transactions. Payers who do not view the FHIR version of the transmitted information should be aware of the possibility of these limitations and ensure they have policies that enforce appropriate sharing constraints on data.

In order to access information about a prior authorization, the provider system will need to access the payor system. This will require that the provider system authenticates to the payer system or an intermediary. The specifics of how this authentication is covered is handled within the Da Vinci HRex Implementation guide. PAS Servers SHOULD support server-server OAuth and MAY support mutually authenticated TLS. In a future release of this guide, direction will limit the option to server-server OAuth. Every system implementing the Prior Authorization guide will need to be aware of and follow the guidance in the FHIR Core Specification on Clinical Safety and the Security and Privacy page in the Da Vinci HRex guide.

Once the system authentication has occurred, the payer will perform any authorization required for the provider to see the current state of the prior authorization.

Next Page - ePA Workflow