| Code | Display | status | deprecated | v2-concComment | Comments |
|---|
 PersDEID | personal de-identified information policy | A | A | | | |
| ALL | All | D | D | | This code is for backwards compatibility only as of v2.9.
If any of 1..* ARV-4 sensitivity codes (Table 0179) apply to the entire message, then ERL is not populated. This emulates the current Table 0717 code “ALL”. | This code is for backwards compatibility only as of v2.9.
If any of 1..* ARV-4 sensitivity codes (Table 0179) apply to the entire message, then ERL is not populated. This emulates the current Table 0717 code “ALL”. | |
| DEM | All demographic data | D | D | | This code has been replaced by the v3 concept “DEMO” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “DEMO” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| LOC | Patient Location | D | D | | This code has been replaced by the v3 concept “PATLOC” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “PATLOC” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| PID-7 | Date of Birth | D | D | | This code has been replaced by the v3 concept “DOB” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “DOB” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| PID-17 | Religion | D | D | | This code has been replaced by the v3 concept “REL” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “REL” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| HIV | HIV status and results | D | D | | This code has been replaced by the v3 concept “HIV” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “HIV” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| STD | Sexually transmitted diseases | D | D | | This code has been replaced by the v3 concept “STD” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “STD” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| PSY | Psychiatric Mental health | D | D | | This code has been replaced by the v3 concept “SPI” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “SPI” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| DRG | Drug | D | D | | This code has been replaced by the v3 concept “DRGIS” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the v3 concept “DRGIS” as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| SMD | Sensitive medical data | D | D | | This code has been replaced by the several concepts that are more granular v3 ActCode_ActPrivacyPolicy_InformationSensitivityPolicy code, e.g., DIA (diagnosis information sensitivity) and PRS (patient requested information sensitivity) as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | This code has been replaced by the several concepts that are more granular v3 ActCode_ActPrivacyPolicy_InformationSensitivityPolicy code, e.g., DIA (diagnosis information sensitivity) and PRS (patient requested information sensitivity) as of v2.9.
Since this is describing a sensitivity, it will be sent in ARV-4. | |
| NO | None | D | D | | This code is for backwards compatibility only as of v2.9.
If no restrictions, don’t send an ARV segment altogether. If sent, ARV-3 is a required element however. To emulate 0717 “NONE”, populate ARV-3 with code from new ActCode_ActPolicyType__ActInformationPolicy such as OrgNSI (organizational non-sensitive information policy) or PersNSI (personal non-sensitive information policy).
Don’t populate ARV-7. E.g., Device record that is not sensitive. If you have a situation where an ARV-4 is valued, as required by, e.g., an organizational policy related to disclosure of a VIP’s health status or location at a facility, and the VIP has authorized disclosure as public information, one may use OrgPI (organizational public information policy - Organizational policy on collection, access, use, or disclosure of public information as defined by the organization or governing jurisdiction) to value ARV-3 indicating that the policy permits the disclosure of VIP sensitive information as coded in ARV-4. | This code is for backwards compatibility only as of v2.9.
If no restrictions, don’t send an ARV segment altogether. If sent, ARV-3 is a required element however. To emulate 0717 “NONE”, populate ARV-3 with code from new ActCode_ActPolicyType__ActInformationPolicy such as OrgNSI (organizational non-sensitive information policy) or PersNSI (personal non-sensitive information policy).
Don’t populate ARV-7. E.g., Device record that is not sensitive. If you have a situation where an ARV-4 is valued, as required by, e.g., an organizational policy related to disclosure of a VIP’s health status or location at a facility, and the VIP has authorized disclosure as public information, one may use OrgPI (organizational public information policy - Organizational policy on collection, access, use, or disclosure of public information as defined by the organization or governing jurisdiction) to value ARV-3 indicating that the policy permits the disclosure of VIP sensitive information as coded in ARV-4. | |
| OO | Opt out all registries (HIPAA) | D | D | | Map to similar code in new ActCode_ActPolicyType_ActConsent_ActPrivacyConsentDirective_RegistryConsentDirective, which are any of these: OPTOUT, OPTOUTE, OOC, OOS | Map to similar code in new ActCode_ActPolicyType_ActConsent_ActPrivacyConsentDirective_RegistryConsentDirective, which are any of these: OPTOUT, OPTOUTE, OOC, OOS | |
| OI | Opt in all registries (HIPAA) | D | D | | Map to similar code in new ActCode_ActPolicyType_ActConsent_ActPrivacyConsentDirective_RegistryConsentDirective, which are any of these: OPTIN, OPTINR, OIC, OIS | Map to similar code in new ActCode_ActPolicyType_ActConsent_ActPrivacyConsentDirective_RegistryConsentDirective, which are any of these: OPTIN, OPTINR, OIC, OIS | |
| JurisIP | jurisdictional information policy | N | N | | | |
| JurisCUI | jurisdictional controlled unclassified information policy | N | N | | | |
| JurisDEID | jurisdictional de-identified information policy | N | N | | | |
| JurisLDS | jurisdictional limited data set | N | N | | | |
| JurisNSI | jurisdictional non-sensitive information policy | N | N | | | |
| JurisPI | jurisdictional public information policy | N | N | | | |
| JurisSP-CUI | jurisdictional specified controlled unclassified information policy | N | N | | | |
| JurisUUI | jurisdictional uncontrolled unclassified information policy | N | N | | | |
| OrgIP | organizational information policy | N | N | | | |
| OrgCUI | organizational basic controlled unclassified information policy | N | N | | | |
| OrgDEID | organizational de-identified information policy | N | N | | | |
| OrgLDS | organizational limited data set information policy | N | N | | | |
| OrgNSI | organizational non-sensitive information policy | N | N | | | |
| OrgPI | organizational public information policy | N | N | | | |
| OrgSP-CUI | organizational specified controlled unclassified information policy | N | N | | | |
| OrgUUI | organizational uncontrolled unclassified information policy | N | N | | | |
| PersIP | personal information policy | N | N | | | |
| PersNSI | personal non-sensitive information policy | N | N | | | |
| PersLDS | personal limited data set information policy | N | N | | | |
| PersPI | personal public information policy | N | N | | | |
| GRANTORCHOICE | grantor choice | N | N | | If the grantor's term of agreement must be accepted in full, then this is considered ""basic consent"". If a grantee is offered an opportunity to extend or restrict certain terms, then the agreement is considered ""granular consent"".
Examples: (1) Healthcare: A PHR account holder [grantor] may require any PHR user [grantee] to accept the terms of agreement in full, or may permit a PHR user to extend or restrict terms selected by the account holder or requested by the PHR user. (2) Non-healthcare: The owner of a resource server [grantor] may require any authorization server [grantee] to meet authorization requirements stipulated in the grantor's terms of agreement. | If the grantor's term of agreement must be accepted in full, then this is considered ""basic consent"". If a grantee is offered an opportunity to extend or restrict certain terms, then the agreement is considered ""granular consent"".
Examples: (1) Healthcare: A PHR account holder [grantor] may require any PHR user [grantee] to accept the terms of agreement in full, or may permit a PHR user to extend or restrict terms selected by the account holder or requested by the PHR user. (2) Non-healthcare: The owner of a resource server [grantor] may require any authorization server [grantee] to meet authorization requirements stipulated in the grantor's terms of agreement. | |
| IMPLIED | implied consent | N | N | | Implied consent with no opportunity to assent or dissent to certain terms is considered ""basic consent"".
Examples: (1) Healthcare: (a) A patient schedules an appointment with a provider, and either does not take the opportunity to expressly assent or dissent to the provider's consent directive, does not have an opportunity to do so, as in the case where emergency care is required, or simply behaves as though the patient [grantor] agrees to the rights granted to the provider [grantee] in an implicit consent directive. (b) An injured and unconscious patient is deemed to have assented to emergency treatment by those permitted to do so under jurisdictional laws, e.g., Good Samaritan laws. (2) Non-healthcare: (a) Upon receiving a driver's license, the driver is deemed to have assented without explicitly consenting to undergoing field sobriety tests. (b) A corporation that does business in a foreign nation is deemed to have deemed to have assented without explicitly consenting to abide by that nation's laws. | Implied consent with no opportunity to assent or dissent to certain terms is considered ""basic consent"".
Examples: (1) Healthcare: (a) A patient schedules an appointment with a provider, and either does not take the opportunity to expressly assent or dissent to the provider's consent directive, does not have an opportunity to do so, as in the case where emergency care is required, or simply behaves as though the patient [grantor] agrees to the rights granted to the provider [grantee] in an implicit consent directive. (b) An injured and unconscious patient is deemed to have assented to emergency treatment by those permitted to do so under jurisdictional laws, e.g., Good Samaritan laws. (2) Non-healthcare: (a) Upon receiving a driver's license, the driver is deemed to have assented without explicitly consenting to undergoing field sobriety tests. (b) A corporation that does business in a foreign nation is deemed to have deemed to have assented without explicitly consenting to abide by that nation's laws. | |
| IMPLIEDD | implied consent with opportunity to dissent | N | N | | Implied or ""implicit"" consent with an ""opportunity to dissent"" occurs when the grantor's behavior is understood by a reasonable person to signal assent to the grantee's terms of agreement whether the grantor requests or the grantee approves further restrictions, is considered ""granular consent"".
Examples: (1) Healthcare: (a) A healthcare provider deems a patient's assent to disclosure of health information to family members and friends, but offers an opportunity or permits the patient to dissent to such disclosures.(b) A health information exchanges deems a patient to have assented to disclosure of health information for treatment purposes, but offers the patient an opportunity to dissents to disclosure to particular provider organizations. (2) Non-healthcare: A bank deems a banking customer's assent to specified collection, access, use, or disclosure of financial information as a requirement of holding a bank account, but provides the user an opportunity to limit third-party collection, access, use or disclosure of that information for marketing purposes. | Implied or ""implicit"" consent with an ""opportunity to dissent"" occurs when the grantor's behavior is understood by a reasonable person to signal assent to the grantee's terms of agreement whether the grantor requests or the grantee approves further restrictions, is considered ""granular consent"".
Examples: (1) Healthcare: (a) A healthcare provider deems a patient's assent to disclosure of health information to family members and friends, but offers an opportunity or permits the patient to dissent to such disclosures.(b) A health information exchanges deems a patient to have assented to disclosure of health information for treatment purposes, but offers the patient an opportunity to dissents to disclosure to particular provider organizations. (2) Non-healthcare: A bank deems a banking customer's assent to specified collection, access, use, or disclosure of financial information as a requirement of holding a bank account, but provides the user an opportunity to limit third-party collection, access, use or disclosure of that information for marketing purposes. | |
| NOCONSENT | no consent | N | N | | The grantee's terms of agreement, may be available to the grantor by reviewing the grantee's privacy policies, but there is no notice by which a grantor is apprised of the policy directly or able to acknowledge.
Examples: (1) Healthcare: (a) Without notification or an opportunity to assent or dissent, a patient's health information is automatically included in and available (often according to certain rules) through a health information exchange. Note that this differs from implied consent, where the patient is assumed to have consented. (b) Without notification or an opportunity to assent or dissent, a patient's health information is collected, accessed, used, or disclosed for research, public health, security, fraud prevention, court order, or law enforcement. (2) Non-healthcare: (a) Without notification or an opportunity to assent or dissent, a consumer's healthcare or non-healthcare internet searches are aggregated for secondary uses such as behavioral tracking and profiling. (b) Without notification or an opportunity to assent or dissent, a consumer's location and activities in a shopping mall are tracked by RFID tags on purchased items | The grantee's terms of agreement, may be available to the grantor by reviewing the grantee's privacy policies, but there is no notice by which a grantor is apprised of the policy directly or able to acknowledge.
Examples: (1) Healthcare: (a) Without notification or an opportunity to assent or dissent, a patient's health information is automatically included in and available (often according to certain rules) through a health information exchange. Note that this differs from implied consent, where the patient is assumed to have consented. (b) Without notification or an opportunity to assent or dissent, a patient's health information is collected, accessed, used, or disclosed for research, public health, security, fraud prevention, court order, or law enforcement. (2) Non-healthcare: (a) Without notification or an opportunity to assent or dissent, a consumer's healthcare or non-healthcare internet searches are aggregated for secondary uses such as behavioral tracking and profiling. (b) Without notification or an opportunity to assent or dissent, a consumer's location and activities in a shopping mall are tracked by RFID tags on purchased items | |
| OPTIN | opt-in | N | N | | Opt-in with no opportunity for a grantor to restrict certain permissions sought by the grantee is considered ""basic consent"".
Examples: (1) Healthcare: A patient [grantor] signs a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, and revocation policies. (2) Non-healthcare: An employee [grantor] signs an employer's [grantee's] non-disclosure and non-compete agreement. | Opt-in with no opportunity for a grantor to restrict certain permissions sought by the grantee is considered ""basic consent"".
Examples: (1) Healthcare: A patient [grantor] signs a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, and revocation policies. (2) Non-healthcare: An employee [grantor] signs an employer's [grantee's] non-disclosure and non-compete agreement. | |
| OPTINR | opt-in with restrictions | N | N | | Opt-in with restrictions is considered ""granular consent"" because the grantor has an opportunity to narrow the permissions sought by the grantee.
Examples: (1) Healthcare: A patient assent to grantee's consent directive terms for collection, access, use, or disclosure of health information, and dissents to disclosure to certain recipients as allowed by the provider's pre-approved restriction list. (2) Non-healthcare: A cell phone user assents to the cell phone's privacy practices and terms of use, but dissents from location tracking by turning off the cell phone's tracking capability. | Opt-in with restrictions is considered ""granular consent"" because the grantor has an opportunity to narrow the permissions sought by the grantee.
Examples: (1) Healthcare: A patient assent to grantee's consent directive terms for collection, access, use, or disclosure of health information, and dissents to disclosure to certain recipients as allowed by the provider's pre-approved restriction list. (2) Non-healthcare: A cell phone user assents to the cell phone's privacy practices and terms of use, but dissents from location tracking by turning off the cell phone's tracking capability. | |
| OPTOUT | opt-out | N | N | | Opt-out with no opportunity for a grantor to permit certain permissions sought by the grantee is considered ""basic consent"".
Examples: (1) Healthcare: A patient [grantor] declines to sign a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, revocation policies, and consequences of not assenting. (2) Non-healthcare: (a) A patient [grantor] declines to sign a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, revocation policies, and consequences of not assenting. (b) A citizen [grantor] refuses to enroll in mandatory government [grantee] health insurance based on religious beliefs, which is an exemption. | Opt-out with no opportunity for a grantor to permit certain permissions sought by the grantee is considered ""basic consent"".
Examples: (1) Healthcare: A patient [grantor] declines to sign a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, revocation policies, and consequences of not assenting. (2) Non-healthcare: (a) A patient [grantor] declines to sign a provider's [grantee's] consent directive form, which lists permissible collection, access, use, or disclosure activities, purposes of use, handling caveats, revocation policies, and consequences of not assenting. (b) A citizen [grantor] refuses to enroll in mandatory government [grantee] health insurance based on religious beliefs, which is an exemption. | |
| OPTOUTE | opt-out with exceptions | N | N | | Opt-out with exceptions is considered a ""granular consent"" because the grantor has an opportunity to accept certain permissions sought by the grantee or request additional grantor terms, while rejecting other grantee terms.
Examples: (1) Healthcare: A patient [grantor] dissents to a health information exchange consent directive with the exception of disclosure based on a limited ""time to live"" shared secret [e.g., a token or password], which the patient can give to a provider when seeking care. (2) Non-healthcare: A social media user [grantor] dissents from public access to their account, but assents to access to a circle of friends. | Opt-out with exceptions is considered a ""granular consent"" because the grantor has an opportunity to accept certain permissions sought by the grantee or request additional grantor terms, while rejecting other grantee terms.
Examples: (1) Healthcare: A patient [grantor] dissents to a health information exchange consent directive with the exception of disclosure based on a limited ""time to live"" shared secret [e.g., a token or password], which the patient can give to a provider when seeking care. (2) Non-healthcare: A social media user [grantor] dissents from public access to their account, but assents to access to a circle of friends. | |
| EMRGONLY | opt-in emergency only | N | N | | To specify the scope of an “EMRGONLY” consent directive within a policy domain, use one or more of the following Purpose of Use codes in the ActReason code system OID: 2.16.840.1.113883.5.8.
ETREAT (Emergency Treatment)
Description:
To perform one or more operations on information for provision of immediately needed health care for an emergent condition.
BTG (break the glass)
Description:
To perform policy override operations on information for provision of immediately needed health care for an emergent condition affecting potential harm, death or patient safety by end users who are not provisioned for this purpose of use. Includes override of organizational provisioning policies and may include override of subject of care consent directive restricting access.
ERTREAT (emergency room treatment)
Description:
To perform one or more operations on information for provision of immediately needed health care for an emergent condition in an emergency room or similar emergent care context by end users provisioned for this purpose, which does not constitute as policy override such as in a ""Break the Glass"" purpose of use.
THREAT (threat)
Description:
To perform one or more operations on information used to prevent injury or disease to living subjects who may be the target of violence.
DISASTER (disaster)
Description:
To perform one or more operations on information used for provision of immediately needed health care to a population of living subjects located in a disaster zone.
Map: An “emergency only” consent directive maps to ISO/TS 17975:2015(E)
5.13 Exceptional access." | To specify the scope of an “EMRGONLY” consent directive within a policy domain, use one or more of the following Purpose of Use codes in the ActReason code system OID: 2.16.840.1.113883.5.8.
ETREAT (Emergency Treatment)
Description:
To perform one or more operations on information for provision of immediately needed health care for an emergent condition.
BTG (break the glass)
Description:
To perform policy override operations on information for provision of immediately needed health care for an emergent condition affecting potential harm, death or patient safety by end users who are not provisioned for this purpose of use. Includes override of organizational provisioning policies and may include override of subject of care consent directive restricting access.
ERTREAT (emergency room treatment)
Description:
To perform one or more operations on information for provision of immediately needed health care for an emergent condition in an emergency room or similar emergent care context by end users provisioned for this purpose, which does not constitute as policy override such as in a ""Break the Glass"" purpose of use.
THREAT (threat)
Description:
To perform one or more operations on information used to prevent injury or disease to living subjects who may be the target of violence.
DISASTER (disaster)
Description:
To perform one or more operations on information used for provision of immediately needed health care to a population of living subjects located in a disaster zone.
Map: An “emergency only” consent directive maps to ISO/TS 17975:2015(E)
5.13 Exceptional access." | |
| NOPP | notice of privacy practices | N | N | | Map - An “implied” consent directive maps to ISO/TS 17975:2015(E) definition for “Implied: Consent to Collect, Use and Disclose personal health information is implied by the actions or inactions of the individual and the circumstances under which it was implied” | Map - An “implied” consent directive maps to ISO/TS 17975:2015(E) definition for “Implied: Consent to Collect, Use and Disclose personal health information is implied by the actions or inactions of the individual and the circumstances under which it was implied” | |
| OOC | opt-out of personal information or effect collection in a registry or repository | N | N | | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-out of access, use, or disclosure of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” opt-out to collection consent directive maps to ISO/TS 17975:2015(E) definitions for “Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care” and “Express or Expressed (and Informed) Denial”. | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-out of access, use, or disclosure of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” opt-out to collection consent directive maps to ISO/TS 17975:2015(E) definitions for “Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care” and “Express or Expressed (and Informed) Denial”. | |
| OOS | opt-out of personal information or effect sharing via a registry or repository | N | N | | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-out of access, use, or disclosure of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” opt-out to sharing consent directive maps to ISO/TS 17975:2015(E) definitions for “Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care” and “Express or Expressed (and Informed) Denial”. | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-out of access, use, or disclosure of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” opt-out to sharing consent directive maps to ISO/TS 17975:2015(E) definitions for “Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care” and “Express or Expressed (and Informed) Denial”. | |
| OIC | opt-in to personal information or effect collection in a registry or repository | N | N | | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-in to collection of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” consent directive maps to ISO/TS 17975:2015(E) definitions for “Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care” and “Opt-in”. | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-in to collection of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” consent directive maps to ISO/TS 17975:2015(E) definitions for “Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care” and “Opt-in”. | |
| OIS | opt-in to personal information or effect sharing via a registry or repository | N | N | | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-in to access, use, or disclosure of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” consent directive maps to ISO/TS 17975:2015(E) Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care and “Opt-in”. | Useful when a more specific jurisdictional or organizational consent directive policy or form is not specified, available, or known, for example, where an individual wishes to opt-in to access, use, or disclosure of some or all of the individual’s information by multiple registries and repositories.
Map: An “expressed” consent directive maps to ISO/TS 17975:2015(E) Express or Expressed: Consent to Collect, Use and Disclose personal health information is expressly given by the subject of care and “Opt-in”. | |
| 42CFRPart2CD | 42 CFR Part 2 consent directive | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s 42 CFR Part 2.31 consent directive, “42CFRPart2CD” as the security label policy code.
Since information governed by an individual’s 42 CFR Part 2.31 consent directive has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s 42 CFR Part 2.31 consent directive, “42CFRPart2CD” as the security label policy code.
Since information governed by an individual’s 42 CFR Part 2.31 consent directive has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | |
| HIPAAAuthCD | HIPAA Authorization Consent Directive | N | N | | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by a an individual’s HIPAA Authorization for Disclosure, use “HIPAAAuthCD” as the security label policy code.
Information governed under a HIPAA Authorization for Disclosure has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “N” (normal). | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by a an individual’s HIPAA Authorization for Disclosure, use “HIPAAAuthCD” as the security label policy code.
Information governed under a HIPAA Authorization for Disclosure has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “N” (normal). | |
| HIPAAConsentCD | HIPAA Consent Directive | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s consent directive under 45 CFR Section 164.522 use “HIPAAConsentCD” as the security label policy code.
Since information governed by a 45 CFR Section 164.522 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s consent directive under 45 CFR Section 164.522 use “HIPAAConsentCD” as the security label policy code.
Since information governed by a 45 CFR Section 164.522 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | |
| HIPAAROACD | HIPAA Right of Access Consent Directive | N | N | | "Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s right of access directive under 45 CFR Section 164.524 use “HIPAAROAD” as the security label policy code.
Information disclosed under a HIPAA 42 CFR Section 164.524 no longer has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “M” (moderate), which may be protected under other laws such as the Federal Trade Commission privacy and security regulations. | "Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s right of access directive under 45 CFR Section 164.524 use “HIPAAROAD” as the security label policy code.
Information disclosed under a HIPAA 42 CFR Section 164.524 no longer has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “M” (moderate), which may be protected under other laws such as the Federal Trade Commission privacy and security regulations. | |
| HIPAAResearchAuthCD | HIPAA Authorization for Disclosure for Research Consent Directive | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s HIPAA Authorization for Disclosure for Research under 45 CFR Section 164.508 use “HIPAAResearchAuthCD” as the security label policy code.
Information disclosed under an individual’s HIPAA Authorization for Disclosure for Research are not protected by the HIPAA Privacy Rule. If protected under other laws such as confidentiality provisions under the Common Rule, assign the HL7 Confidentiality code “M” (moderate).
See ActCode._ActPolicyType._ActPrivacyPolicy._ActPrivacyLaw._ActUSPrivacyLaw.HIPAAAuth (HIPAA Authorization for Disclosure). See: HIPAAAuth and NIH Sample Authorization Language for Research Uses and Disclosures of Individually Identifiable Health Information by a Covered Health Care Provider https://privacyruleandresearch.nih.gov/authorization.asp | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s HIPAA Authorization for Disclosure for Research under 45 CFR Section 164.508 use “HIPAAResearchAuthCD” as the security label policy code.
Information disclosed under an individual’s HIPAA Authorization for Disclosure for Research are not protected by the HIPAA Privacy Rule. If protected under other laws such as confidentiality provisions under the Common Rule, assign the HL7 Confidentiality code “M” (moderate).
See ActCode._ActPolicyType._ActPrivacyPolicy._ActPrivacyLaw._ActUSPrivacyLaw.HIPAAAuth (HIPAA Authorization for Disclosure). See: HIPAAAuth and NIH Sample Authorization Language for Research Uses and Disclosures of Individually Identifiable Health Information by a Covered Health Care Provider https://privacyruleandresearch.nih.gov/authorization.asp | |
| CompoundResearchCD | Compound HIPAA Research Authorization and Informed Consent for Research | N | N | | The Agency for Healthcare Research and Quality (AHRQ) has developed the Informed Consent and Authorization Toolkit for Minimal Risk Research to facilitate the process of obtaining informed consent and Health Insurance Portability and Accountability Act (HIPAA) authorization from potential research subjects. This toolkit contains information for people responsible for ensuring that potential research subjects are informed in a manner that is consistent with medical ethics and regulatory guidelines. From https://www.ahrq.gov/sites/default/files/publications/files/ictoolkit.pdf.
Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s right of access directive under 45 CFR Section 164.508 use “CompoundResearchCD” as the security label policy code.
Information or biospecimen disclosed under the Common Rule are not protected by the HIPAA Privacy Rule. If protected under other laws such as confidentiality provisions under the Common Rule, assign the HL7 Confidentiality code “M” (moderate).
See ActCode._ActPolicyType._ActPrivacyPolicy._ActPrivacyLaw._ActUSPrivacyLaw.HIPAAAuth (HIPAA Authorization for Disclosure). See: HIPAAAuth and NIH Sample Authorization Language for Research Uses and Disclosures of Individually Identifiable Health Information by a Covered Health Care Provider https://privacyruleandresearch.nih.gov/authorization.asp | The Agency for Healthcare Research and Quality (AHRQ) has developed the Informed Consent and Authorization Toolkit for Minimal Risk Research to facilitate the process of obtaining informed consent and Health Insurance Portability and Accountability Act (HIPAA) authorization from potential research subjects. This toolkit contains information for people responsible for ensuring that potential research subjects are informed in a manner that is consistent with medical ethics and regulatory guidelines. From https://www.ahrq.gov/sites/default/files/publications/files/ictoolkit.pdf.
Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual’s right of access directive under 45 CFR Section 164.508 use “CompoundResearchCD” as the security label policy code.
Information or biospecimen disclosed under the Common Rule are not protected by the HIPAA Privacy Rule. If protected under other laws such as confidentiality provisions under the Common Rule, assign the HL7 Confidentiality code “M” (moderate).
See ActCode._ActPolicyType._ActPrivacyPolicy._ActPrivacyLaw._ActUSPrivacyLaw.HIPAAAuth (HIPAA Authorization for Disclosure). See: HIPAAAuth and NIH Sample Authorization Language for Research Uses and Disclosures of Individually Identifiable Health Information by a Covered Health Care Provider https://privacyruleandresearch.nih.gov/authorization.asp | |
| MDHHS-5515 | Michigan Consent to Share Behavioral Health Information for Care Coordination Purposes | N | N | | For legislative background, current MDHHS-5515 consent directive form, and provider and patient FAQs see http://www.michigan.gov/mdhhs/0,5885,7-339-71550_2941_58005-343686--,00.html | For legislative background, current MDHHS-5515 consent directive form, and provider and patient FAQs see http://www.michigan.gov/mdhhs/0,5885,7-339-71550_2941_58005-343686--,00.html | |
| GDPRCD | GDPR Consent Directive | N | N | | Article 4.11 GDPR Definitions https://gdpr-info.eu/art-4-gdpr/
11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 7 GDPR Conditions for consent https://gdpr-info.eu/art-7-gdpr
Recital 32 Conditions for consent* https://gdpr-info.eu/recitals/no-32
Recital 42 Burden of proof and requirements for consent* https://gdpr-info.eu/recitals/no-42/>
Recital 43 Freely given consent* https://gdpr-info.eu/recitals/no-43
GDPR Consent Brief https://gdpr-info.eu/issues/consent/
Art. 4 GDPR Definitions Art. 6 GDPR Lawfulness of processing Art. 7 GDPR Conditions for consent Art. 8 GDPR Conditions applicable to child's consent in relation to information society services Art. 9 GDPR Processing of special categories of personal data Art. 22 GDPR Automated individual decision-making, including profiling Art. 49 GDPR Derogations for specific situations
Relevant GDPR Recitals:
(32) Conditions for consent (33) Consent to certain areas of scientific research (38) Special protection of children's personal data (40) Lawfulness of data processing (42) Burden of proof and requirements for consent (43) Freely given consent (50) Further processing of personal data (51) Protecting sensitive personal data (54) Processing of sensitive data in public health sector (71) Profiling (111) Exceptions for certain cases of international transfers (155) Processing in the employment context (161) Consenting to the participation in clinical trials (171) Repeal of Directive 95/46/EC and transitional provisions | Article 4.11 GDPR Definitions https://gdpr-info.eu/art-4-gdpr/
11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 7 GDPR Conditions for consent https://gdpr-info.eu/art-7-gdpr
Recital 32 Conditions for consent* https://gdpr-info.eu/recitals/no-32
Recital 42 Burden of proof and requirements for consent* https://gdpr-info.eu/recitals/no-42/>
Recital 43 Freely given consent* https://gdpr-info.eu/recitals/no-43
GDPR Consent Brief https://gdpr-info.eu/issues/consent/
Art. 4 GDPR Definitions Art. 6 GDPR Lawfulness of processing Art. 7 GDPR Conditions for consent Art. 8 GDPR Conditions applicable to child's consent in relation to information society services Art. 9 GDPR Processing of special categories of personal data Art. 22 GDPR Automated individual decision-making, including profiling Art. 49 GDPR Derogations for specific situations
Relevant GDPR Recitals:
(32) Conditions for consent (33) Consent to certain areas of scientific research (38) Special protection of children's personal data (40) Lawfulness of data processing (42) Burden of proof and requirements for consent (43) Freely given consent (50) Further processing of personal data (51) Protecting sensitive personal data (54) Processing of sensitive data in public health sector (71) Profiling (111) Exceptions for certain cases of international transfers (155) Processing in the employment context (161) Consenting to the participation in clinical trials (171) Repeal of Directive 95/46/EC and transitional provisions | |
| GDPRResearchCD | GDPR Research Consent Directive | N | N | | HL7 Purpose of Use codes include specialize research purposes of use, which could be used to convey a data subject’s purpose of use restrictions related to areas of research or parts of research projects.
See citations for GDPRResearchCD and below:
Recital 33 Consent to certain areas of scientific research https://gdpr-info.eu/recitals/no-33/>
Recital 157 Information from registries and scientific research https://gdpr-info.eu/recitals/no-157
Recital 159 Processing for scientific research purposes* https://gdpr-info.eu/recitals/no-159/ | HL7 Purpose of Use codes include specialize research purposes of use, which could be used to convey a data subject’s purpose of use restrictions related to areas of research or parts of research projects.
See citations for GDPRResearchCD and below:
Recital 33 Consent to certain areas of scientific research https://gdpr-info.eu/recitals/no-33/>
Recital 157 Information from registries and scientific research https://gdpr-info.eu/recitals/no-157
Recital 159 Processing for scientific research purposes* https://gdpr-info.eu/recitals/no-159/ | |
| 42CFRPart2 | 42 CFR Part 2) | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, and disclosure of healthcare information is governed by 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records
https://www.gpo.gov/fdsys/pkg/CFR-2010-title42-vol1/pdf/CFR-2010-title42-vol1-part2.pdf use “42CFRPart2” as the security label policy code.
Since information governed by a 42 CFR Part 2 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, and disclosure of healthcare information is governed by 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records
https://www.gpo.gov/fdsys/pkg/CFR-2010-title42-vol1/pdf/CFR-2010-title42-vol1-part2.pdf use “42CFRPart2” as the security label policy code.
Since information governed by a 42 CFR Part 2 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf assign the HL7 Confidentiality code “R” (restricted). | |
| COMMONRULE | Common Rule | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information or biospecimen is governed by the Common Rule use “COMMONRULE” as the security label policy code. Information or biospecimen disclosed under the Common Rule are not protected by the HIPAA Privacy Rule. If protected under other laws such as confidentiality provisions under the Common Rule, assign the HL7 Confidentiality code “M” (moderate).
See ActReason_ActInformationManagementReason_ActHealthInformationManagementReason.PurposeOfUse. HRESCH for applicable security label purpose of use codes." | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information or biospecimen is governed by the Common Rule use “COMMONRULE” as the security label policy code. Information or biospecimen disclosed under the Common Rule are not protected by the HIPAA Privacy Rule. If protected under other laws such as confidentiality provisions under the Common Rule, assign the HL7 Confidentiality code “M” (moderate).
See ActReason_ActInformationManagementReason_ActHealthInformationManagementReason.PurposeOfUse. HRESCH for applicable security label purpose of use codes." | |
| HIPAANOPP | HIPAA notice of privacy practices | N | N | | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by a covered entity’s HIPAA Notice of Privacy Practices, use “HIPAANOPP” as the security label policy code.
Information governed under a HIPAA Notice of Privacy Practices has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf , which is considered the “norm”, assign the HL7 Confidentiality code “N” (normal). | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by a covered entity’s HIPAA Notice of Privacy Practices, use “HIPAANOPP” as the security label policy code.
Information governed under a HIPAA Notice of Privacy Practices has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf , which is considered the “norm”, assign the HL7 Confidentiality code “N” (normal). | |
| HIPAAPsyNotes | HIPAA psychotherapy notes | N | N | | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by HIPAA 45 CFR 164.508 (2) Authorization required: Psychotherapy notes https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf , use “HIPAAPsyNotes” as the security label policy code.
Since information governed by a HIPAA 45 CFR 164.508 (2) has a level of confidentiality protection that is more stringent than the normal level of protection under 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by HIPAA 45 CFR 164.508 (2) Authorization required: Psychotherapy notes https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf , use “HIPAAPsyNotes” as the security label policy code.
Since information governed by a HIPAA 45 CFR 164.508 (2) has a level of confidentiality protection that is more stringent than the normal level of protection under 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | |
| HIPAASelfPay | HIPAA self-pay | N | N | | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this where collection, access, use, or disclosure of healthcare information is governed by HIPAA 45 CFR 164.522 https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-522.pdf use “HIPAASelfPay” as the security label policy code.
Since information governed by a HIPAA 45 CFR 164.522 has a level of confidentiality protection that is more stringent than the normal level of protection under 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this where collection, access, use, or disclosure of healthcare information is governed by HIPAA 45 CFR 164.522 https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-522.pdf use “HIPAASelfPay” as the security label policy code.
Since information governed by a HIPAA 45 CFR 164.522 has a level of confidentiality protection that is more stringent than the normal level of protection under 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | |
| Title38Section7332 | Title 38 Section 7332 | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by 38 U.S. Code Section 7332 - Confidentiality of certain medical records
https://www.gpo.gov/fdsys/granule/USCODE-2011-title38/USCODE-2011-title38-partV-chap73-subchapIII-sec7332/content-detail.html use “Title38Section7332” as the security label policy code.
Since information governed by a Title 38 Section 7332 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by 38 U.S. Code Section 7332 - Confidentiality of certain medical records
https://www.gpo.gov/fdsys/granule/USCODE-2011-title38/USCODE-2011-title38-partV-chap73-subchapIII-sec7332/content-detail.html use “Title38Section7332” as the security label policy code.
Since information governed by a Title 38 Section 7332 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | |
| HIPAAConsent | HIPAA Consent | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by 45 CFR Section 164.522 use “HIPAAConsent” as the security label policy code.
Since information governed by a 45 CFR Section 164.522 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by 45 CFR Section 164.522 use “HIPAAConsent” as the security label policy code.
Since information governed by a 45 CFR Section 164.522 has a level of confidentiality protection that is more stringent than the normal level of protection under HIPAA 45 CFR Section 164.506 Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, assign the HL7 Confidentiality code “R” (restricted). | |
| HIPAAAuth | HIPAA Authorization for Disclosure | N | N | | A code representing U.S. Public Law 104-191 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Section 164.508) Uses and disclosures for which an authorization is required https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which stipulates the process by which a covered entity seeks agreement from an individual to use or disclose protected health information for other purposes, or to authorize another covered entity to disclose protected health information to the requesting covered entity, are termed ""authorizations"".
An “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html | A code representing U.S. Public Law 104-191 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Section 164.508) Uses and disclosures for which an authorization is required https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which stipulates the process by which a covered entity seeks agreement from an individual to use or disclose protected health information for other purposes, or to authorize another covered entity to disclose protected health information to the requesting covered entity, are termed ""authorizations"".
An “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html | |
| HIPAAROA | HIPAA Right of Access | N | N | | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed under 45 CFR Section 164.5224 use “HIPAAROA” as the security label policy code.
Information disclosed under a HIPAA 42 CFR Section 164.524 no longer has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “M” (moderate), which may be protected under other laws such as the Federal Trade Commission privacy and security regulations. | Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed under 45 CFR Section 164.5224 use “HIPAAROA” as the security label policy code.
Information disclosed under a HIPAA 42 CFR Section 164.524 no longer has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “M” (moderate), which may be protected under other laws such as the Federal Trade Commission privacy and security regulations. | |
| GDPRCONSENT | GDPR Consent | N | N | | Article 6.1.a https://gdpr-info.eu/art-6-gdpr/
1 Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Article 9.1, 9.2a., 9.2.e https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; and (e) processing relates to personal data which are manifestly made public by the data subject." | Article 6.1.a https://gdpr-info.eu/art-6-gdpr/
1 Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Article 9.1, 9.2a., 9.2.e https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; and (e) processing relates to personal data which are manifestly made public by the data subject." | |
| GDPRCONTRACT | GDPR contract | N | N | | Article 6.1.b https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Recital 44 https://gdpr-info.eu/recitals/no-44/
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract. * This title is an unofficial description." | Article 6.1.b https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Recital 44 https://gdpr-info.eu/recitals/no-44/
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract. * This title is an unofficial description." | |
| GDPRHLTHSOCSY | GDPR health or social system management | N | N | | This processing policy code offers an escape-hatch to countries like Denmark and Austria: they simply declare their national healthcare data exchanges to be necessary for the management of their healthcare system. This allows them to establish an opt-out mechanism under the GDPR, whereas normally GDPR would be opt-in when it comes to such national exchanges.
The description is based on the following GDPR provisions:
Article 9.1, and 9.2.c and 9.2.h, 9.3 https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. | This processing policy code offers an escape-hatch to countries like Denmark and Austria: they simply declare their national healthcare data exchanges to be necessary for the management of their healthcare system. This allows them to establish an opt-out mechanism under the GDPR, whereas normally GDPR would be opt-in when it comes to such national exchanges.
The description is based on the following GDPR provisions:
Article 9.1, and 9.2.c and 9.2.h, 9.3 https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. | |
| GDPRLEGALCLAIM | GDPR legal claim | N | N | | The description is based on the following GDPR provisions:
Article 9.1 and 9.2.f https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. | The description is based on the following GDPR provisions:
Article 9.1 and 9.2.f https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. | |
| GDPRLEGALOBL | GDPR legal obligation | N | N | | The description is based on the following GDPR provisions:
Article 6.1.c https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (c) processing is necessary for compliance with a legal obligation to which the controller is subject.
Article 9.1, 9.2.b https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. | The description is based on the following GDPR provisions:
Article 6.1.c https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (c) processing is necessary for compliance with a legal obligation to which the controller is subject.
Article 9.1, 9.2.b https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. | |
| GDPRLEGITINTEREST | GDPR legitimate interest | N | N | | The description is based on the following GDPR provisions:
Article 6.1.f https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Article 9.1, 9.2.d https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects. | The description is based on the following GDPR provisions:
Article 6.1.f https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Article 9.1, 9.2.d https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects. | |
| GDPRPUBLICHEALTH | GDPR public health | N | N | | The description is based on the following GDPR provisions:
Article 9.1 and 9.2.i https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy." | The description is based on the following GDPR provisions:
Article 9.1 and 9.2.i https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy." | |
| GDPRPUBLICINTEREST | GDPR public interest | N | N | | The description is based on the following GDPR provisions:
Article 6.1.e https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9.1 and 9.2.g https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | The description is based on the following GDPR provisions:
Article 6.1.e https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9.1 and 9.2.g https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | |
| GDPRRESEARCH | GDPR research | N | N | | The description is based on the following GDPR provisions:
Article 9.1, and 9.2.j https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject." | The description is based on the following GDPR provisions:
Article 9.1, and 9.2.j https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject." | |
| GDPRVITALINTEREST | GDPR vital interest | N | N | | The description is based on the following GDPR provisions:
Article 6.1.d https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Article 9.1, and 9.2.c and 9.2.h, 9.3 https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. | The description is based on the following GDPR provisions:
Article 6.1.d https://gdpr-info.eu/art-6-gdpr/
1Processing shall be lawful only if and to the extent that at least one of the following applies: (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Article 9.1, and 9.2.c and 9.2.h, 9.3 https://gdpr-info.eu/art-9-gdpr/
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies: (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. | |