Release 5 Preview #1

This page is part of the FHIR Specification (v4.2.0: R5 Preview #1). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R4 R3

V3-ConfidentialityClassification.xml

Vocabulary Work GroupMaturity Level: N/AStandards Status: Informative

Raw XML (canonical form + also see XML Format Specification)

Set of codes used to value Act.Confidentiality and Role.Confidentiality attribute in accordance with the definition for concept domain "Confidentiality".

<?xml version="1.0" encoding="UTF-8"?>

<ValueSet xmlns="http://hl7.org/fhir">
  <id value="v3-ConfidentialityClassification"/> 
  <meta> 
    <lastUpdated value="2019-12-31T21:03:40.621+11:00"/> 
    <profile value="http://hl7.org/fhir/StructureDefinition/shareablevalueset"/> 
  </meta> 
  <text> 
    <status value="generated"/> 
    <div xmlns="http://www.w3.org/1999/xhtml">
      <h2> V3 Value SetConfidentialityClassification</h2> 
      <div> 
        <p> Set of codes used to value Act.Confidentiality and Role.Confidentiality attribute in accordance
             with the definition for concept domain &quot;Confidentiality&quot;.</p> 

      </div> 
      <p> This value set includes codes from the following code systems:</p> 
      <ul> 
        <li> Include these codes as defined in 
          <a href="../../v3/Confidentiality/cs.html">
            <code> http://terminology.hl7.org/CodeSystem/v3-Confidentiality</code> 
          </a> 
          <table class="none">
            <tr> 
              <td style="white-space:nowrap">
                <b> Code</b> 
              </td> 
              <td> 
                <b> Display</b> 
              </td> 
            </tr> 
            <tr> 
              <td> 
                <a href="../../v3/Confidentiality/cs.html#v3-Confidentiality-U">U</a> 
              </td> 
              <td> unrestricted</td> 
              <td> Privacy metadata indicating that no level of protection is required to safeguard personal
                   and healthcare information that has been disclosed by an authorized individual without
                   restrictions on its use.
                <br/>  
                        
                           Examples: Includes publicly available information e.g., business
                   name, phone, email and physical address.
                <br/>  
                        
                           Usage Note: The authorization to collect, access, use, and
                   disclose this information may be stipulated in a contract of adhesion by a data user (e.g.,
                   via terms of service or data user privacy policies) in exchange for the data subject's
                   use of a service.
                <br/>  
                        This metadata indicates that the receiver has no obligation to
                   consider privacy policies other than its own when making access control decisions.
                <br/>  
                        This metadata indicates that the receiver has no obligation to
                   consider privacy policies other than its own when making access control decisions.
                <br/>  
                        Confidentiality code total order hierarchy: Unrestricted (U) is
                   less protective than V, R, N, M, and L, and is the lowest protection levels.
              </td> 
            </tr> 
            <tr> 
              <td> 
                <a href="../../v3/Confidentiality/cs.html#v3-Confidentiality-L">L</a> 
              </td> 
              <td> low</td> 
              <td> Privacy metadata indicating that a low level of protection is required to safeguard personal
                   and healthcare information, which has been altered in such a way as to minimize the need
                   for confidentiality protections with some residual risks associated with re-linking. The
                   risk of harm to an individual's reputation and sense of privacy if disclosed without authorization
                   is considered negligible, and mitigations are in place to address reidentification risk.
                <br/>  
                        
                           Usage Note: 
                        
                <br/>  The level of protection afforded anonymized and pseudonymized, and non-personally identifiable
                   information (e.g., a limited data set) is dictated by privacy policies and data use agreements
                   intended to engender trust that health information can be used and disclosed with little
                   or no risk of re-identification.
                           Example: Personal and healthcare information, which excludes
                   16 designated categories of direct identifiers in a HIPAA Limited Data Set. This information
                   may be disclosed by HIPAA Covered Entities without patient authorization for a research,
                   public health, and operations purposes if conditions are met, which includes obtaining
                   a signed data use agreement from the recipient. See 45 CFR Section 164.514.
                <br/>  
                        This metadata indicates that the receiver may have an obligation
                   to comply with a data use agreement with the discloser. The discloser may have obligations
                   to comply with policies dictating the methods for de-identification.
                <br/>  
                        Confidentiality code total order hierarchy: Low (L) is less protective
                   than V, R, N, and M, and subsumes U.
              </td> 
            </tr> 
            <tr> 
              <td> 
                <a href="../../v3/Confidentiality/cs.html#v3-Confidentiality-M">M</a> 
              </td> 
              <td> moderate</td> 
              <td> Privacy metadata indicating the level of protection required to safeguard personal and
                   healthcare information, which if disclosed without authorization, would present a moderate
                   risk of harm to an individual's reputation and sense of privacy.
                <br/>  
                        
                           Usage Note: The level of protection afforded moderately confidential
                   information is dictated by privacy policies intended to engender trust in a service provider.
                   May include publicly available information in jurisdictions that restrict uses of that
                   information without the consent of the data subject.
                <br/>  
                        Privacy policies mandating moderate levels of protection, which
                   preempt less protective privacy policies. &quot;Moderate&quot; confidentiality policies
                   differ from and would be preempted by the prevailing privacy policies mandating the normative
                   level of protection for information used in the delivery and management of healthcare.
                <br/>  
                        Confidentiality code total order hierarchy: Moderate (M) is less
                   protective than V, R, and N, and subsumes all other protection levels (i.e., L and U).
                <br/>  
                        
                           Examples: Includes personal and health information that an
                   individual authorizes to be collected, accessed, used or disclosed to a bank for a health
                   credit card or savings account; to health oversight authorities; to a hospital patient
                   directory; to worker compensation, disability, property and casualty or life insurers;
                   and to personal health record systems, consumer-controlled devices, social media accounts
                   and online Apps; or for marketing purposes
              </td> 
            </tr> 
            <tr> 
              <td> 
                <a href="../../v3/Confidentiality/cs.html#v3-Confidentiality-N">N</a> 
              </td> 
              <td> normal</td> 
              <td> Privacy metadata indicating the level of protection required to safeguard personal and
                   healthcare information, which if disclosed without authorization, would present a considerable
                   risk of harm to an individual's reputation and sense of privacy.
                <br/>  
                        
                           Usage Note: The level of protection afforded normatively confidential
                   information is dictated by the prevailing normative privacy policies, which are intended
                   to engender patient trust in their healthcare providers.
                <br/>  
                        Privacy policies mandating normative levels of protection, which
                   preempt less protective privacy policies when the information is used in the delivery
                   and management of healthcare. May be pre-empted by jurisdictional law (e.g., for public
                   health reporting or emergency treatment).
                <br/>  
                        Confidentiality code total order hierarchy: Normal (N) is less
                   protective than V and R, and subsumes all other protection levels (i.e., M, L, and U).
                <br/>  
                        
                           Map:Partial Map to ISO 13606-4 Sensitivity Level (3) Clinical
                   Care when purpose of use is treatment: Default for normal clinical care access (i.e.,
                   most clinical staff directly caring for the patient should be able to access nearly all
                   of the EHR). Maps to normal confidentiality for treatment information but not to ancillary
                   care, payment and operations. 
                <br/>  
                        
                           Examples: 
                        
                <br/>  n the US, this includes what HIPAA identifies as protected health information (PHI) under
                   45 CFR Section 160.103.
              </td> 
            </tr> 
            <tr> 
              <td> 
                <a href="../../v3/Confidentiality/cs.html#v3-Confidentiality-R">R</a> 
              </td> 
              <td> restricted</td> 
              <td> Privacy metadata indicating the level of protection required to safeguard potentially
                   stigmatizing information, which if disclosed without authorization, would present a high
                   risk of harm to an individual's reputation and sense of privacy.
                <br/>  
                        
                           Usage Note: The level of protection afforded restricted confidential
                   information is dictated by specially protective organizational or jurisdictional privacy
                   policies, including at an authorized individual’s request, intended to engender patient
                   trust in providers of sensitive services.
                <br/>  
                        Privacy policies mandating additional levels of protection by
                   restricting information access preempt less protective privacy policies when the information
                   is used in the delivery and management of healthcare. May be pre-empted by jurisdictional
                   law (e.g., for public health reporting or emergency treatment).
                <br/>  
                        Confidentiality code total order hierarchy: Restricted (R) is
                   less protective than V, and subsumes all other protection levels (i.e., N, M, L, and U).
                <br/>  
                        
                           Examples: 
                        
                <br/>  Includes information that is additionally protected such as sensitive conditions mental
                   health, HIV, substance abuse, domestic violence, child abuse, genetic disease, and reproductive
                   health; or sensitive demographic information such as a patient’s standing as an employee
                   or a celebrity. May be used to indicate proprietary or classified information that is
                   not related to an individual (e.g., secret ingredients in a therapeutic substance; or
                   the name of a manufacturer).
              </td> 
            </tr> 
            <tr> 
              <td> 
                <a href="../../v3/Confidentiality/cs.html#v3-Confidentiality-V">V</a> 
              </td> 
              <td> very restricted</td> 
              <td> Privacy metadata indicating the level of protection required under atypical cicumstances
                   to safeguard potentially damaging or harmful information, which if disclosed without authorization,
                   would (1) present an extremely high risk of harm to an individual's reputation, sense
                   of privacy, and possibly safety; or (2) impact an individual's or organization's legal
                   matters.
                <br/>  
                        
                           Usage Note: The level of protection afforded very restricted
                   confidential information is dictated by specially protective privacy or legal policies
                   intended to ensure that under atypical circumstances additional protections limit access
                   to only those with a high 'need to know' and the information is kept in highest confidence..
                <br/>  
                        Privacy and legal policies mandating the highest level of protection
                   by stringently restricting information access, preempt less protective privacy policies
                   when the information is used in the delivery and management of healthcare including legal
                   proceedings related to healthcare. May be pre-empted by jurisdictional law (e.g., for
                   public health reporting or emergency treatment but only under limited circumstances).
                <br/>  
                        Confidentiality code total order hierarchy: Very Restricted (V)
                   is the highest protection level and subsumes all other protection levels s (i.e., R, N,
                   M, L, and UI).
                <br/>  
                        
                           Examples: 
                        
                <br/>  Includes information about a victim of abuse, patient requested information sensitivity,
                   and taboo subjects relating to health status that must be discussed with the patient by
                   an attending provider before sharing with the patient. May also include information held
                   under a legal hold or attorney-client privilege.
              </td> 
            </tr> 
          </table> 
        </li> 
      </ul> 
    </div> 
  </text> 
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status">
    <valueCode value="trial-use"/> 
  </extension> 
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm">
    <valueInteger value="2"/> 
  </extension> 
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg">
    <valueCode value="sd"/> 
  </extension> 
  <url value="http://terminology.hl7.org/ValueSet/v3-ConfidentialityClassification"/> 
  <identifier> 
    <system value="urn:ietf:rfc:3986"/> 
    <value value="urn:oid:2.16.840.1.113883.1.11.10228"/> 
  </identifier> 
  <version value="2014-03-26"/> 
  <name value="v3.ConfidentialityClassification"/> 
  <title value="V3 Value SetConfidentialityClassification"/> 
  <status value="active"/> 
  <experimental value="false"/> 
  <publisher value="HL7 v3"/> 
  <contact> 
    <telecom> 
      <system value="url"/> 
      <value value="http://www.hl7.org"/> 
    </telecom> 
  </contact> 
  <description value=" Set of codes used to value Act.Confidentiality and Role.Confidentiality attribute in
     accordance with the definition for concept domain &quot;Confidentiality&quot;."/> 
  <immutable value="true"/> 
  <compose> 
    <include> 
      <system value="http://terminology.hl7.org/CodeSystem/v3-Confidentiality"/> 
      <concept> 
        <code value="U"/> 
      </concept> 
      <concept> 
        <code value="L"/> 
      </concept> 
      <concept> 
        <code value="M"/> 
      </concept> 
      <concept> 
        <code value="N"/> 
      </concept> 
      <concept> 
        <code value="R"/> 
      </concept> 
      <concept> 
        <code value="V"/> 
      </concept> 
    </include> 
  </compose> 
</ValueSet> 

Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.