HL7.FHIR.UV.SECURITY-LABEL-DS4P\Value set definition for Privacy Policy

This page is part of the FHIR Data Segmentation for Privacy (v0.1.0: STU 1 Ballot 1) based on FHIR R4. . For a full list of available versions, see the Directory of published versions

Value set definition for Privacy Policy

Summary

Defining URL:

http://hl7.org/fhir/uv/security-label-ds4p/ValueSet/valueset-privacy-policy

Version:

0.2.0

Name:

ValueSetPrivacyPolicy

Status:

draft

Title:

Definition:

Security label metadata that 'segments' an IT resource by conveying a mandate, obligation, requirement, rule, or expectation relating to its privacy.

Publisher:

HL7 International - Security Work Group

Source Resource:

XML / JSON / Turtle

References

The Basis for Security Label

Content Logical Definition

Definition

Include codes from http://terminology.hl7.org/CodeSystem/v3-ActCode where concept is-a _ActConsentType
Include codes from http://terminology.hl7.org/CodeSystem/v3-ActCode where concept is-a _ActConsentDirective
Include codes from http://terminology.hl7.org/CodeSystem/v3-ActCode where concept is-a _ActPrivacyLaw

Include these codes as defined in http://terminology.hl7.org/CodeSystem/v3-ActCode

Code	Display
GDPRCD	GDPR Consent Directive
GDPRResearchCD	GDPR Research Consent Directive
OIC	opt-in to personal information or effect collection in a registry or repository
OIS	opt-in to personal information or effect sharing via a registry or repository
OOC	opt-out of personal information or effect collection in a registry or repository
OOS	opt-out of personal information or effect sharing via a registry or repository
42CFRPart2CD	42 CFR Part 2 consent directive
CompoundResearchCD	Compound HIPAA Research Authorization and Informed Consent for Research
HIPAAAuthCD	HIPAA Authorization Consent Directive
HIPAAConsentCD	HIPAA Consent Directive
HIPAAResearchAuthCD	HIPAA Authorization for Disclosure for Research Consent Directive
HIPAAROAD	HIPAA Right of Access Directive
InformedAssentCD	Informed Assent for Research
InformedConsentCD	Informed Consent for Research
MDHHS-5515	Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes
MDHHS-5515MMHC	Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes-Michigan Mental Health Code
MDHHS-5515Part2	Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes-US 42 CFR Part 2
JurisIP	jurisdictional information policy
JurisCUI	jurisdictional controlled unclassified information policy
JurisDEID	jurisdictional de-identified information poli
JurisLDS	jurisdictional limited data set
JurisNSI	jurisdictional non-sensitive information policy
JurisPI	jurisdictional public information policy
JurisSP-CUI	jurisdictional specified controlled unclassified information policy
JurisUUI	jurisdictional uncontrolled unclassified information policy
OrgIP	organizational information policy
OrgCUI	organizational basic controlled unclassified information policy
OrgDEID	organizational de-identified information policy
OrgLDS	organizational limited data set information policy
OrgNSI	organizational non-sensitive information policy
OrgPI	organizational public information policy
OrgSP-CUI	Organizational policy on collection, access, use, or disclosure of specified controlled unclassified information as defined by the organization or by applicable jurisdictional law.
OrgUUI	organizational uncontrolled unclassified information policy
PersIP	personal information policy
PersDEID	personal de-identified information policy
PersLDS	personal limited data set information policy
PersNSI	personal non-sensitive information policy
PersPI	personal public information policy
GDPRCONSENT	GDPR consent
GDPRCONTRACT	GDPR contract
GDPRLEGALCLAIM	GDPR legal claim
GDPRLEGALOBL	GDPR legal obligation
GDPRLEGITINTEREST	GDPR legitimate interest
GDPRPUBLICHEALTH	GDPR public health
GDPRPUBLICINTEREST	GDPR public interest
GDPRRESEARCH	GDPR research
GDPRHTHSOCSYS	GDPR health or social system management
GDPRVITALINTEREST	GDPR vital interest
32CFRPart2002	32 CFR Part 2002
HIPAAAuth	HIPAA Authorization for Disclosure
HIPAAConsent	HIPAA Consent
HIPAAROA	HIPAA Right of Access

This value set includes codes based on the following rules:

Expansion

This value set contains 78 concepts

Expansion based on http://terminology.hl7.org/CodeSystem/v3-ActCode version 2018-08-12

All codes from system http://terminology.hl7.org/CodeSystem/v3-ActCode

Code	Display	Definition
ICOL	information collection	Definition: Consent to have healthcare information collected in an electronic health record. This entails that the information may be used in analysis, modified, updated.
IDSCL	information disclosure	Definition: Consent to have collected healthcare information disclosed.
INFA	information access	Definition: Consent to access healthcare information.
INFAO	access only	Definition: Consent to access or "read" only, which entails that the information is not to be copied, screen printed, saved, emailed, stored, re-disclosed or altered in any way. This level ensures that data which is masked or to which access is restricted will not be. Example: Opened and then emailed or screen printed for use outside of the consent directive purpose.
INFASO	access and save only	Definition: Consent to access and save only, which entails that access to the saved copy will remain locked.
IRDSCL	information redisclosure	Definition: Information re-disclosed without the patient's consent.
RESEARCH	research information access	Definition: Consent to have healthcare information in an electronic health record accessed for research purposes.
RSDID	de-identified information access	Definition: Consent to have de-identified healthcare information in an electronic health record that is accessed for research purposes, but without consent to re-identify the information under any circumstance.
RSREID	re-identifiable information access	Definition: Consent to have de-identified healthcare information in an electronic health record that is accessed for research purposes re-identified under specific circumstances outlined in the consent. Example:: Where there is a need to inform the subject of potential health issues.
EMRGONLY	emergency only	This general consent directive specifically limits disclosure of health information for purpose of emergency treatment. Additional parameters may further limit the disclosure to specific users, roles, duration, types of information, and impose uses obligations. Definition: Opt-in to disclosure of health information for emergency only consent directive.
GRANTORCHOICE	grantor choice	A grantor's terms of agreement to which a grantee may assent or dissent, and which may include an opportunity for a grantee to request restrictions or extensions. Comment: A grantor typically is able to stipulate preferred terms of agreement when the grantor has control over the topic of the agreement, which a grantee must accept in full or may be offered an opportunity to extend or restrict certain terms. Usage Note: If the grantor's term of agreement must be accepted in full, then this is considered "basic consent". If a grantee is offered an opportunity to extend or restrict certain terms, then the agreement is considered "granular consent". Examples: Healthcare: A PHR account holder [grantor] may require any PHR user [grantee] to accept the terms of agreement in full, or may permit a PHR user to extend or restrict terms selected by the account holder or requested by the PHR user. Non-healthcare: The owner of a resource server [grantor] may require any authorization server [grantee] to meet authorization requirements stipulated in the grantor's terms of agreement.
IMPLIED	implied consent	A grantor's presumed assent to the grantee's terms of agreement is based on the grantor's behavior, which may result from not expressly assenting to the consent directive offered, or from having no right to assent or dissent offered by the grantee. Comment: Implied or "implicit" consent occurs when the behavior of the grantor is understood by a reasonable person to signal agreement to the grantee's terms. Usage Note: Implied consent with no opportunity to assent or dissent to certain terms is considered "basic consent". Examples: Healthcare: A patient schedules an appointment with a provider, and either does not take the opportunity to expressly assent or dissent to the provider's consent directive, does not have an opportunity to do so, as in the case where emergency care is required, or simply behaves as though the patient [grantor] agrees to the rights granted to the provider [grantee] in an implicit consent directive. An injured and unconscious patient is deemed to have assented to emergency treatment by those permitted to do so under jurisdictional laws, e.g., Good Samaritan laws. Non-healthcare: Upon receiving a driver's license, the driver is deemed to have assented without explicitly consenting to undergoing field sobriety tests. A corporation that does business in a foreign nation is deemed to have deemed to have assented without explicitly consenting to abide by that nation's laws.
IMPLIEDD	implied consent with opportunity to dissent	A grantor's presumed assent to the grantee's terms of agreement, which is based on the grantor's behavior, and includes a right to dissent to certain terms. Comment: A grantor assenting to the grantee's terms of agreement may or may not exercise a right to dissent to grantor selected terms or to grantee's selected terms to which a grantor may dissent. Usage Note: Implied or "implicit" consent with an "opportunity to dissent" occurs when the grantor's behavior is understood by a reasonable person to signal assent to the grantee's terms of agreement whether the grantor requests or the grantee approves further restrictions, is considered "granular consent". Examples: Healthcare Examples: A healthcare provider deems a patient's assent to disclosure of health information to family members and friends, but offers an opportunity or permits the patient to dissent to such disclosures. A health information exchanges deems a patient to have assented to disclosure of health information for treatment purposes, but offers the patient an opportunity to dissents to disclosure to particular provider organizations. Non-healthcare Examples: A bank deems a banking customer's assent to specified collection, access, use, or disclosure of financial information as a requirement of holding a bank account, but provides the user an opportunity to limit third-party collection, access, use or disclosure of that information for marketing purposes.
NOCONSENT	no consent	No notification or opportunity is provided for a grantor to assent or dissent to a grantee's terms of agreement. Comment: A "No Consent" policy scheme provides no opportunity for accommodation of an individual's preferences, and may not comply with Fair Information Practice Principles [FIPP] by enabling the data subject to object, access collected information, correct errors, or have accounting of disclosures. Usage Note: The grantee's terms of agreement, may be available to the grantor by reviewing the grantee's privacy policies, but there is no notice by which a grantor is apprised of the policy directly or able to acknowledge. Examples: Healthcare: Without notification or an opportunity to assent or dissent, a patient's health information is automatically included in and available (often according to certain rules) through a health information exchange. Note that this differs from implied consent, where the patient is assumed to have consented. Without notification or an opportunity to assent or dissent, a patient's health information is collected, accessed, used, or disclosed for research, public health, security, fraud prevention, court order, or law enforcement. Non-healthcare: Without notification or an opportunity to assent or dissent, a consumer's healthcare or non-healthcare internet searches are aggregated for secondary uses such as behavioral tracking and profiling. Without notification or an opportunity to assent or dissent, a consumer's location and activities in a shopping mall are tracked by RFID tags on purchased items.
NOPP	notice of privacy practices	Acknowledgement of custodian notice of privacy practices. Usage Notes: This type of consent directive acknowledges a custodian's notice of privacy practices including its permitted collection, access, use and disclosure of health information to users and for purposes of use specified.
OPTIN	opt-in	A grantor's assent to the terms of an agreement offered by a grantee without an opportunity for to dissent to any terms. Comment: Acceptance of a grantee's terms pertaining, for example, to permissible activities, purposes of use, handling caveats, expiry date, and revocation policies. Usage Note: Opt-in with no opportunity for a grantor to restrict certain permissions sought by the grantee is considered "basic consent". Examples: Healthcare: A patient [grantor] signs a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, and revocation policies. Non-healthcare: An employee [grantor] signs an employer's [grantee's] non-disclosure and non-compete agreement.
OPTINR	opt-in with restrictions	A grantor's assent to the grantee's terms of an agreement with an opportunity for to dissent to certain grantor or grantee selected terms. Comment: A grantor dissenting to the grantee's terms of agreement may or may not exercise a right to assent to grantor's pre-approved restrictions or to grantee's selected terms to which a grantor may dissent. Usage Note: Opt-in with restrictions is considered "granular consent" because the grantor has an opportunity to narrow the permissions sought by the grantee. Examples: Healthcare: A patient assent to grantee's consent directive terms for collection, access, use, or disclosure of health information, and dissents to disclosure to certain recipients as allowed by the provider's pre-approved restriction list. Non-Healthcare: A cell phone user assents to the cell phone's privacy practices and terms of use, but dissents from location tracking by turning off the cell phone's tracking capability.
OPTOUT	op-out	A grantor's dissent to the terms of agreement offered by a grantee without an opportunity for to assent to any terms. Comment: Rejection of a grantee's terms of agreement pertaining, for example, to permissible activities, purposes of use, handling caveats, expiry date, and revocation policies. Usage Note: Opt-out with no opportunity for a grantor to permit certain permissions sought by the grantee is considered "basic consent". Examples: Healthcare: A patient [grantor] declines to sign a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, revocation policies, and consequences of not assenting. Non-healthcare: An employee [grantor] refuses to sign an employer's [grantee's] agreement not to join unions or participate in a strike where state law protects employee's collective bargaining rights. A citizen [grantor] refuses to enroll in mandatory government [grantee] health insurance based on religious beliefs, which is an exemption.
OPTOUTE	opt-out with exceptions	A grantor's dissent to the grantee's terms of agreement except for certain grantor or grantee selected terms. Comment: A rejection of a grantee's terms of agreement while assenting to certain permissions sought by the grantee or requesting approval of additional grantor terms. Usage Note: Opt-out with exceptions is considered a "granular consent" because the grantor has an opportunity to accept certain permissions sought by the grantee or request additional grantor terms, while rejecting other grantee terms. Examples: Healthcare: A patient [grantor] dissents to a health information exchange consent directive with the exception of disclosure based on a limited "time to live" shared secret [e.g., a token or password], which the patient can give to a provider when seeking care. Non-healthcare: A social media user [grantor] dissents from public access to their account, but assents to access to a circle of friends.
_ActUSPrivacyLaw	_ActUSPrivacyLaw	Definition: A jurisdictional mandate in the U.S. relating to privacy. Usage Note: ActPrivacyLaw codes may be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialtyCode complies. May be used to further specify rationale for assignment of other ActPrivacyPolicy codes in the US realm, e.g., ETH and 42CFRPart2 can be differentiated from ETH and Title38Part1.
42CFRPart2	42 CFR Part2	42 CFR Part 2 stipulates the right of an individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program. Definition: Non-disclosure of health information relating to health care paid for by a federally assisted substance abuse program without patient consent. Usage Note: May be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialityCode complies.
CommonRule	Common Rule	U.S. Federal regulations governing the protection of human subjects in research (codified at Subpart A of 45 CFR part 46) that has been adopted by 15 U.S. Federal departments and agencies in an effort to promote uniformity, understanding, and compliance with human subject protections. Existing regulations governing the protection of human subjects in Food and Drug Administration (FDA)-regulated research (21 CFR parts 50, 56, 312, and 812) are separate from the Common Rule but include similar requirements. Definition: U.S. federal laws governing research-related privacy policies. Usage Note: May be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialtyCode complies.
HIPAANOPP	HIPAA notice of privacy practices	The U.S. Public Law 104-191 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Part 164 Subpart E) permits access, use and disclosure of certain personal health information (PHI as defined under the law) for purposes of Treatment, Payment, and Operations, and requires that the provider ask that patients acknowledge the Provider's Notice of Privacy Practices as permitted conduct under the law. Definition: Notification of HIPAA Privacy Practices. Usage Note: May be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialtyCode complies.
HIPAAPsyNotes	HIPAA psychotherapy notes	The U.S. Public Law 104-191 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Part 164 Section 164.508) requires authorization for certain uses and disclosure of psychotherapy notes. Definition: Authorization that must be obtained for disclosure of psychotherapy notes. Usage Note: May be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialityCode complies.
HIPAASelfPay	HIPAA self-pay	Section 13405(a) of the Health Information Technology for Economic and Clinical Health Act (HITECH) stipulates the right of an individual to have disclosures regarding certain health care items or services for which the individual pays out of pocket in full restricted from a health plan. Definition: Non-disclosure of health information to a health plan relating to health care items or services for which an individual pays out of pocket in full. Usage Note: May be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialityCode complies.
Title38Section7332	Title 38 Section 7332	Title 38 Part 1-protected information may only be disclosed to a third party with the special written consent of the patient except where expressly authorized by 38 USC 7332. VA may disclose this information for specific purposes to: VA employees on a need to know basis - more restrictive than Privacy Act need to know; contractors who need the information in order to perform or fulfil the duties of the contract; and researchers who provide assurances that the information will not be identified in any report. This information may also be disclosed without consent where patient lacks decision-making capacity; in a medical emergency for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention; for eye, tissue, or organ donation purposes; and disclosure of HIV information for public health purposes. Definition: Title 38 Part 1 - Section 1.462 Confidentiality restrictions. (a) General. The patient records to which Sections 1.460 through 1.499 of this part apply may be disclosed or used only as permitted by these regulations and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, State, or local authority. Any disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure. SUBCHAPTER III--PROTECTION OF PATIENT RIGHTS Sec. 7332. Confidentiality of certain medical records (a)(1) Records of the identity, diagnosis, prognosis, or treatment of any patient or subject which are maintained in connection with the performance of any program or activity (including education, training, treatment, rehabilitation, or research) relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus, or sickle cell anemia which is carried out by or for the Department under this title shall, except as provided in subsections (e) and (f), be confidential, and (section 5701 of this title to the contrary notwithstanding) such records may be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b). Usage Note: May be associated with an Act or a Role to indicate the legal provision to which the assignment of an Act.confidentialityCode or Role.confidentialityCode complies.
GDPRCD	GDPR Consent Directive
GDPRResearchCD	GDPR Research Consent Directive
OIC	opt-in to personal information or effect collection in a registry or repository
OIS	opt-in to personal information or effect sharing via a registry or repository
OOC	opt-out of personal information or effect collection in a registry or repository
OOS	opt-out of personal information or effect sharing via a registry or repository
42CFRPart2CD	42 CFR Part 2 consent directive
CompoundResearchCD	Compound HIPAA Research Authorization and Informed Consent for Research
HIPAAAuthCD	HIPAA Authorization Consent Directive
HIPAAConsentCD	HIPAA Consent Directive
HIPAAResearchAuthCD	HIPAA Authorization for Disclosure for Research Consent Directive
HIPAAROAD	HIPAA Right of Access Directive
InformedAssentCD	Informed Assent for Research
InformedConsentCD	Informed Consent for Research
MDHHS-5515	Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes
MDHHS-5515MMHC	Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes-Michigan Mental Health Code
MDHHS-5515Part2	Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes-US 42 CFR Part 2
JurisIP	jurisdictional information policy
JurisCUI	jurisdictional controlled unclassified information policy
JurisDEID	jurisdictional de-identified information poli
JurisLDS	jurisdictional limited data set
JurisNSI	jurisdictional non-sensitive information policy
JurisPI	jurisdictional public information policy
JurisSP-CUI	jurisdictional specified controlled unclassified information policy
JurisUUI	jurisdictional uncontrolled unclassified information policy
OrgIP	organizational information policy
OrgCUI	organizational basic controlled unclassified information policy
OrgDEID	organizational de-identified information policy
OrgLDS	organizational limited data set information policy
OrgNSI	organizational non-sensitive information policy
OrgPI	organizational public information policy
OrgSP-CUI	Organizational policy on collection, access, use, or disclosure of specified controlled unclassified information as defined by the organization or by applicable jurisdictional law.
OrgUUI	organizational uncontrolled unclassified information policy
PersIP	personal information policy
PersDEID	personal de-identified information policy
PersLDS	personal limited data set information policy
PersNSI	personal non-sensitive information policy
PersPI	personal public information policy
GDPRCONSENT	GDPR consent
GDPRCONTRACT	GDPR contract
GDPRLEGALCLAIM	GDPR legal claim
GDPRLEGALOBL	GDPR legal obligation
GDPRLEGITINTEREST	GDPR legitimate interest
GDPRPUBLICHEALTH	GDPR public health
GDPRPUBLICINTEREST	GDPR public interest
GDPRRESEARCH	GDPR research
GDPRHTHSOCSYS	GDPR health or social system management
GDPRVITALINTEREST	GDPR vital interest
32CFRPart2002	32 CFR Part 2002
HIPAAAuth	HIPAA Authorization for Disclosure
HIPAAConsent	HIPAA Consent
HIPAAROA	HIPAA Right of Access

Explanation of the columns that may appear on this page:

Level

A few code lists that FHIR defines are hierarchical - each code is assigned a level. In this scheme, some codes are under other codes, and imply that the code they are under also applies

Source

The source of the definition of the code (when the value set draws in codes defined elsewhere)

Code

The code (used as the code in the resource instance)

Display

The display (used in the display element of a Coding). If there is no display, implementers should not simply display the code, but map the concept into their application

Definition

An explanation of the meaning of the concept

Comments

Additional notes about how to use the code