Level
Lvl
|
Code
|
Display
|
Definition
|
|
1
|
_Confidentiality
|
Confidentiality
|
A
specializable
code
and
its
leaf
codes
used
in
Confidentiality
value
sets
to
value
the
Act.Confidentiality
and
Role.Confidentiality
attribute
in
accordance
with
the
definition
for
concept
domain
"Confidentiality".
|
|
2
|
L
L
|
low
|
Definition:
Privacy
metadata
indicating
that
the
information
has
been
de-identified,
and
there
are
mitigating
circumstances
that
prevent
re-identification,
which
minimize
risk
of
harm
from
unauthorized
disclosure.
The
information
requires
protection
to
maintain
low
sensitivity.
Examples:
Includes
anonymized,
pseudonymized,
or
non-personally
identifiable
information
such
as
HIPAA
limited
data
sets.
Map:
No
clear
map
to
ISO
13606-4
Sensitivity
Level
(1)
Care
Management:
RECORD_COMPONENTs
that
might
need
to
be
accessed
by
a
wide
range
of
administrative
staff
to
manage
the
subject
of
care's
access
to
health
services.
Usage
Note:
This
metadata
indicates
the
receiver
may
have
an
obligation
to
comply
with
a
data
use
agreement.
|
|
2
|
M
M
|
moderate
|
Definition:
Privacy
metadata
indicating
moderately
sensitive
information,
which
presents
moderate
risk
of
harm
if
disclosed
without
authorization.
Examples:
Includes
allergies
of
non-sensitive
nature
used
inform
food
service;
health
information
a
patient
authorizes
to
be
used
for
marketing,
released
to
a
bank
for
a
health
credit
card
or
savings
account;
or
information
in
personal
health
record
systems
that
are
not
governed
under
health
privacy
laws.
Map:
Partial
Map
to
ISO
13606-4
Sensitivity
Level
(2)
Clinical
Management:
Less
sensitive
RECORD_COMPONENTs
that
might
need
to
be
accessed
by
a
wider
range
of
personnel
not
all
of
whom
are
actively
caring
for
the
patient
(e.g.
radiology
staff).
Usage
Note:
This
metadata
indicates
that
the
receiver
may
be
obligated
to
comply
with
the
receiver's
terms
of
use
or
privacy
policies.
|
|
2
|
N
N
|
normal
|
Definition:
Privacy
metadata
indicating
that
the
information
is
typical,
non-stigmatizing
health
information,
which
presents
typical
risk
of
harm
if
disclosed
without
authorization.
Examples:
In
the
US,
this
includes
what
HIPAA
identifies
as
the
minimum
necessary
protected
health
information
(PHI)
given
a
covered
purpose
of
use
(treatment,
payment,
or
operations).
Includes
typical,
non-stigmatizing
health
information
disclosed
in
an
application
for
health,
workers
compensation,
disability,
or
life
insurance.
Map:
Partial
Map
to
ISO
13606-4
Sensitivity
Level
(3)
Clinical
Care:
Default
for
normal
clinical
care
access
(i.e.
most
clinical
staff
directly
caring
for
the
patient
should
be
able
to
access
nearly
all
of
the
EHR).
Maps
to
normal
confidentiality
for
treatment
information
but
not
to
ancillary
care,
payment
and
operations.
Usage
Note:
This
metadata
indicates
that
the
receiver
may
be
obligated
to
comply
with
applicable
jurisdictional
privacy
law
or
disclosure
authorization.
|
|
2
|
R
R
|
restricted
|
Privacy
metadata
indicating
highly
sensitive,
potentially
stigmatizing
information,
which
presents
a
high
risk
to
the
information
subject
if
disclosed
without
authorization.
May
be
preempted
pre-empted
by
jurisdictional
law,
e.g.,
e.g.
for
public
health
reporting
or
emergency
treatment.
>
Examples:
In
the
US,
this
includes
what
HIPAA
identifies
as
the
minimum
necessary
Includes
information
that
is
additionally
protected
health
such
as
sensitive
conditions
mental
health,
HIV,
substance
abuse,
domestic
violence,
child
abuse,
genetic
disease,
and
reproductive
health;
or
sensitive
demographic
information
(PHI)
given
such
as
a
covered
purpose
of
use
(treatment,
payment,
patient's
standing
as
an
employee
or
operations).
Includes
typical,
non-stigmatizing
health
a
celebrity.
May
be
used
to
indicate
proprietary
or
classified
information
disclosed
in
that
is
not
related
to
an
application
for
health,
workers
compensation,
disability,
individual,
e.g.
secret
ingredients
in
a
therapeutic
substance;
or
life
insurance.
the
name
of
a
manufacturer.
Map:
Partial
Map
to
ISO
13606-4
Sensitivity
Level
(3)
Clinical
Care:
Default
for
normal
clinical
care
access
(i.e.
most
clinical
staff
directly
caring
for
the
patient
should
be
able
to
access
nearly
all
of
the
EHR).
Maps
to
normal
confidentiality
for
treatment
information
but
not
to
ancillary
care,
payment
and
operations.
operations..
Usage
Note:
This
metadata
indicates
that
the
receiver
may
be
obligated
to
comply
with
applicable,
prevailing
(default)
jurisdictional
privacy
law
or
disclosure
authorization.
authorization..
|
|
2
|
U
U
|
unrestricted
|
Definition:
Privacy
metadata
indicating
that
the
information
is
not
classified
as
sensitive.
Examples:
Includes
publicly
available
information,
e.g.,
e.g.
business
name,
phone,
email
or
physical
address.
Usage
Note:
This
metadata
indicates
that
the
receiver
has
no
obligation
to
consider
additional
policies
when
making
access
control
decisions.
Note
that
in
some
jurisdictions,
personally
identifiable
information
must
be
protected
as
confidential,
so
it
would
not
be
appropriate
to
assign
a
confidentiality
code
of
"unrestricted"
to
that
information
even
if
it
is
publicly
available.
|
|
2
|
V
V
|
very
restricted
|
.
.
Privacy
metadata
indicating
that
the
information
is
extremely
sensitive
and
likely
stigmatizing
health
information
that
presents
a
very
high
risk
if
disclosed
without
authorization.
This
information
must
be
kept
in
the
highest
confidence.
Examples:
Includes
information
about
a
victim
of
abuse,
patient
requested
information
sensitivity,
and
taboo
subjects
relating
to
health
status
that
must
be
discussed
with
the
patient
by
an
attending
provider
before
sharing
with
the
patient.
May
also
include
information
held
under
“legal
lock�
or
attorney-client
privilege
Map:
This
metadata
indicates
that
the
receiver
may
not
disclose
this
information
except
as
directed
by
the
information
custodian,
who
may
be
the
information
subject.
Usage
Note:
This
metadata
indicates
that
the
receiver
may
not
disclose
this
information
except
as
directed
by
the
information
custodian,
who
may
be
the
information
subject.
|
|
1
|
_ConfidentialityByAccessKind
|
ConfidentialityByAccessKind
|
Description:
By
accessing
subject
/
role
and
relationship
based
rights
(These
concepts
are
mutually
exclusive,
one
and
only
one
is
required
for
a
valid
confidentiality
coding.)
Deprecation
Comment:Deprecated
due
to
updated
confidentiality
codes
under
ActCode
|
|
2
|
B
|
business
|
Description:
Since
the
service
class
can
represent
knowledge
structures
that
may
be
considered
a
trade
or
business
secret,
there
is
sometimes
(though
rarely)
the
need
to
flag
those
items
as
of
business
level
confidentiality.
However,
no
patient
related
information
may
ever
be
of
this
confidentiality
level.
Deprecation
Comment:
Replced
by
ActCode.B
|
|
2
|
D
|
clinician
|
Description:
Only
clinicians
may
see
this
item,
billing
and
administration
persons
can
not
access
this
item
without
special
permission.
Deprecation
Comment:Deprecated
due
to
updated
confidentiality
codes
under
ActCode
|
|
2
|
I
|
individual
|
Description:
Access
only
to
individual
persons
who
are
mentioned
explicitly
as
actors
of
this
service
and
whose
actor
type
warrants
that
access
(cf.
to
actor
type
code).
Deprecation
Comment:Deprecated
due
to
updated
confidentiality
codes
under
ActCode
|
|
1
|
_ConfidentialityByInfoType
|
ConfidentialityByInfoType
|
Description:
By
information
type,
only
for
service
catalog
entries
(multiples
allowed).
Not
to
be
used
with
actual
patient
data!
Deprecation
Comment:Deprecated
due
to
updated
confidentiality
codes
under
ActCode
|
|
2
|
ETH
|
substance
abuse
related
|
Description:
Alcohol/drug-abuse
related
item
Deprecation
Comment:Replced
by
ActCode.ETH
|
|
2
|
HIV
|
HIV
related
|
Description:
HIV
and
AIDS
related
item
Deprecation
Comment:Replced
by
ActCode.HIV
|
|
2
|
PSY
|
psychiatry
relate
|
Description:
Psychiatry
related
item
Deprecation
Comment:Replced
by
ActCode.PSY
|
|
2
|
SDV
|
sexual
and
domestic
violence
related
|
Description:
Sexual
assault
/
domestic
violence
related
item
Deprecation
Comment:Replced
by
ActCode.SDV
|
|
1
|
_ConfidentialityModifiers
|
ConfidentialityModifiers
|
Description:
Modifiers
of
role
based
access
rights
(multiple
allowed)
Deprecation
Comment:Deprecated
due
to
updated
confidentiality
codes
under
ActCode
|
|
2
|
C
|
celebrity
|
Description:
Celebrities
are
people
of
public
interest
(VIP)
including
employees,
whose
information
require
special
protection.
Deprecation
Comment:Replced
by
ActCode.CEL
|
|
2
|
S
|
sensitive
|
Description:
Information
for
which
the
patient
seeks
heightened
confidentiality.
Sensitive
information
is
not
to
be
shared
with
family
members.
Information
reported
by
the
patient
about
family
members
is
sensitive
by
default.
Flag
can
be
set
or
cleared
on
patient's
request.
Deprecation
Comment:Deprecated
due
to
updated
confidentiality
codes
under
ActCode
|
|
2
|
T
|
taboo
|
Description:
Information
not
to
be
disclosed
or
discussed
with
patient
except
through
physician
assigned
to
patient
in
this
case.
This
is
usually
a
temporary
constraint
only,
example
use
is
a
new
fatal
diagnosis
or
finding,
such
as
malignancy
or
HIV.
Deprecation
Note:Replced
by
ActCode.TBOO
|
|
Version
History
|
Table
of
Contents
|
Compare
to
DSTU1
|
Propose
a
change