Comment

Recommended updates to Security Label data class

  • With changes in state and federal privacy law the need for security labeling and differential management of highly sensitive data has significantly increased warranting focused attention on the various data elements in the Security Label data class.
  • We believe the content related to these data elements warrants a thorough update to reflect newer version of the resources and specifications including the STU release of FHIR SD4P (https://build.fhir.org/ig/HL7/fhir-security-label-ds4p/index.html), and the associated value sets including General Purpose of Use (https://terminology.hl7.org/ValueSet-v3-GeneralPurposeOfUse.htm) and Purpose of Use (https://terminology.hl7.org/ValueSet-v3-PurposeOfUse.html).
  • The information reflected under "Use Case Description", "Maturity Discussion", and "Potential Challenges" for the Security Label data element submissions seem to refer to a different use case for Controlled Unclassified Information (CUI) which may be an error or reflect of a lack of sufficient details. We suggest that these fields be reviewed and updated to reflect the specifics related to each type of security label being suggested.
  • We believe that Confidentiality and Purpose of Use codes are quite stable and at least a subset of the value sets have been implemented by some EHRs, especially considering that the Confidentiality Label has long been a required element in the DS4P standard for Composite CDAs at the document level. We therefore propose that the Confidentiality and Purpose of Use data elements be moved to Level 2. The values for the Confidentiality label that are most widely implemented are Restricted (R), Normal (N), and Unclassified (U) and could therefore be specified as an initial recommended value set within USCDI. The subset of values more likely to have been more widely implemented for Purpose of Use is the General Purpose of Use value set as defined by the FHIR DS4P IG and HL7 Terminology: https://terminology.hl7.org/ValueSet-v3-GeneralPurposeOfUse.html
  • We believe that a subset of the Sensitivity Tag value set has been implemented by some EHRs and directly supports major US-realm privacy use cases. Particularly, the use case of tagging and differentially managing data related to the treatment of Substance Use Disorder (SUD) based on 42 CFR Part 2 requirements. The use of these tags predates FHIR and we believe is widely implemented since at least source-based tagging (whether it is implemented using standard HL7 codes or internal proprietary tags) directly supports this long-standing compliance requirement. As such, we propose that the Sensitivity Tag data element be moved to Level 1 with the following subset of Sensitivity codes specified as an applicable value set: Substance Use Disorder (SUD), Sexual and Reproductive Health (SEX), Mental Health (MH).

Log in or register to post comments