Data Element

Security Label Policy Tag

A Policy tag is the 0..1 component of a Security Label that conforms to follows the HL7 Healthcare Privacy and Security Classification System (HCS), Release 1 syntax to represent the policy governing of the information assigned a Security Label. The policy represented by this code is the authoritative source of the type of information deemed sensitive and the level of confidentiality protection to be provided. Policies may pertain to privacy, security, research, trust, etc., and may be issued by a jurisdiction, an organization, or an individual, e.g., by a consent directive. In addition, the policy may limit the permissible purposes of use, and the obligations and prohibited actions which may be taken by senders and receivers, which are conveyed using other types of tags in the Security Label representing a specific policy. HL7 recommends creating a value set of Policy codes to value the Policy tag, which are specific to priority US policies as discussed in the HL7 Cross-Paradigm US Regulatory Security Labeling Implementation Guide, which is under development. For example, the US Controlled Unclassified Information (CUI) policy 32 CFR Part 2002, established the executive branch’s CUI Program, policy for designating, handling, and decontrolling information that qualifies as CUI, and the security mechanisms by which the confidentiality of CUI is enforced. This rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency. As a result, most entities exchanging health information in the US will likely either mark CUI or receive CUI, and will be required to comply with this regulation. CUI exchanged using HL7 standards will need to indicate that the recipient must comply with this regulation using a security label with a Policy tag for 32 CFR Part 2002. HL7 Cross Paradigm US Security Labeling IG is under development to standardize CUI labeling for use with HL7 Version 2, CDA, and FHIR specifications. For Policy codes used to populate Security Label Policy tags, see HL7 PolicyType value set at:


Log in or register to post comments