Page tree
Skip to end of metadata
Go to start of metadata


Committee Approval Date:

Sponsor: Security WG January 7, 2020

Publishing Lead: Mohammad Jafari/John Moehrke

Contributing or Reviewing Work Groups:

Cosponsor: CBCP WG Dec 10, 2019 Approval of encompassing Cross Paradigm CUI 32 CFR Part 2002, 42 CFR Part 2, and Title 38 Section 7332 Security Labeling IGs PSS


FHIR Development Project Insight ID:

Scope of coverage:

  • US Realm
  • FHIR Security Labels (Resource.meta.security)

Content location:

FHIR GitHub

Security WG Confluence site - for discussion, draft content, reference material

Proposed IG realm and code:

US/security-label-regs

Maintenance Plan:

Security WG, Veterans Health Administration, eHealth Exchange, and Sequoia Project intend to provide ongoing support of this Implementation Guide.

Short Description:

Defines how systems that must comply with CFR 32 Part 2002 Controlled Unclassified Information (CUI); 42 CFR Part 2 for certain confidential substance use disorder information; and Title 38 Section 7332 using FHIR, in particular on use of computable and interoperable security labels to represent these policies.

Long Description:

The FHIR US Regulatory Security Labeling IG specifies how Senders and Receivers can comply with CFR 32 Part 2002 Controlled Unclassified Information (CUI); 42 CFR Part 2 for certain confidential substance use disorder information; and Title 38 Section 7332 using FHIR security labels to indicate originator and recipient obligations to comply with these policies. These laws dictate that recipients must comply with specified confidentiality protections for governed sensitive information in accordance with purpose of use limitations, obligations, and prohibitions.

Transforms between FHIR and V2 or CDA security labels are provided.

Includes a FHIR Trust Contract profile with Labeling Capability Statements for real time verification that sender/receiver are bound under agreements such as eHealth Exchange DURSA or RCE rules.

Involved parties:

Sequoia Project
eHealth Exchange
Veterans Health Administration
Department of Defense

EHR Vendor participants in eHealth Exchange and trading partners of VHA and DOD

Expected implementations:


May 16, 2020 - Connectathon Track to demonstrate the FHIR Security Label Examples at May Connectathon as part of a FHIR DS4P Track.

Sept 19, 2020 - Connectathon Track to test transforms and Trust Contract profile

Content sources:

HL7 Healthcare Privacy and Security Classification System (HCS), HL7 v2.9 Security Label segments, DS4P CDA IG, FHIR DS4P Project (under development) and FHIR Security Module including the Security Label guidance.

Example Scenarios:

  • Develop consensus Security Label codes for CUI, Part 2 or Section 7332 label.

See Cross Paradigm CUI, Part 2, and 7332 Structure and current prototype for preliminary work.

  • How a custodian or sender determines whether a Resource needs a CUI, Part 2 or Section 7332 label.
  • How a sender determines the High-Water Mark security label on a Bundle when (1) all bundled Resources have the same security labels; (2) when bundled Resources have different or no CUI, Part 2 or Section 7332 security labels.
  • How as receiver appropriately handles Bundle and Resource labels.
  • Develop Trust Contracts with capability statements about:
    • A sender's ability to determine the correct CUI, Part 2 or Section 7332 security labels to assign to Resources and to the Bundle as the High-Water Mark.
    • A receiver's ability to consume, persist, enforce, display CUI, Part 2 or Section 7332 security labels 
  • How a sender determines whether a receiver is capable of consuming, persisting, enforcing, and displaying CUI, Part 2 or Section 7332 security labels using Trust Contract capability statements.

IG Relationships:

Dependency on the FHIR DS4P IG for foundational use cases, actors, operations, and interactions.

Timelines:

January 2020 - Draft CUI, Part2, and 7332 Security Labels examples based on FHIR DS4P; V2.9 FHS, BHS, MSH, and ARV; and DS4P CDA IG. Draft use cases, policy background, and explanatory text.

February 2020 - Vet and refine examples and text with domain and business experts for adherence to policy and implementability.

March 2020 - Develop Cross Paradigm IG based on the examples and text in appropriate syntax.

March 1, 2020 - Submit May NIB for FHIR Security Label IG STU 1 ballot

April 5, 2020 - Final content

May 16, 2020 - Connectathon Track to demonstrate the FHIR Security Label Examples at May Connectathon as part of a FHIR DS4P Track.

June 2020 - Reconcile IG

July 2020 - Revise per reconciliation. Develop transform mappings between security label syntaxes and FHIR Trust Contract with capability statements indicating which security labels are supported.

July 5, 2020 - Submit NIB for FHIR Security Label IG with FHIR Security Label Trust Contract and Transforms across syntaxes for STU 2 ballot

July 21, 2020 - Submit Sept Connectathon track proposal to demonstrate FHIR Security Labels with FHIR Security Label Trust Contract and Transforms across syntaxes

July 28, 2020 - Reconciliation deadline

July 28, 2020 - FHIR Ballot Freeze

August 9, 2020 - Final content deadline

Sept 14, 2020 - Begin Reconciliation

Sept 19, 2020 - Connectathon Track to test transforms and Trust Contract profile

October 2020 - Finalize IG content per reconciliation and request publication

FMG Notes

FMG approved the revise FHIR US Regulatory Security Label IG proposal 1/08/2020