Patient Cost Transparency Implementation Guide
1.1.0 - STU 1 United States of America flag

This page is part of the Da Vinci Patient Cost Transparency Implementation Guide (v1.1.0: STU 1) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions

Security

Page standards status: Informative

Privacy & Security Considerations

The sharing of information from provider to payer for determining an Advanced Explanation of Benefits (AEOB) is subject to the Health Insurance Portability and Accountability Act’s (HIPAA) “minimum necessary” regulations (specifically 45 CFR 164.514(d)(3) and (d)(4)). Payers are responsible for ensuring that only information necessary to create an AEOB is solicited, and providers are responsible for ensuring that only data that is reasonably relevant to creating an AEOB is transmitted.

Some of the data shared as part of the AEOB process may have associated constraints on the use of that information for other purposes, including subsequent disclosure to other payers, practitioners, policyholders, etc. While HL7 FHIR supports conveying this information via security labels on transmitted resources, this information is not currently mappable (and thus findable) in the X12 837 transactions. Payers who do not view the FHIR version of the transmitted information should be aware of the possibility of these limitations and ensure they have policies that enforce appropriate sharing constraints on data.

To access information about an AEOB, the provider system will need to access the payer system. This will require that the provider system authenticates to the payer system or an intermediary. The Da Vinci HRex Implementation guide specifies how this authentication is handled. PCT Servers SHOULD support server-server OAuth and MAY support mutually authenticated TLS . In a future release of this guide, direction will limit the option to server-server OAuth . Every system claiming conformance to this IG SHALL meet the requirements defined in the Security and Privacy section of the Da Vinci HRex IG. The FHIR implementer’s Safety Checklist helps implementers be sure that they have considered all the parts of FHIR that impact their system design regarding privacy, security, provenance, and safety.

Once the system authentication has occurred, the payer will perform any authorization required for the provider to see the current state of the AEOB.