Skip to end of metadata
Go to start of metadata

This page provides and introduction to the CUI Business Problem for which HL7 has developed a standards-based, interoperable solution for HL7 product families.  HL7's solution is a code set of CUI Marking codes and guidance for using security labels to convey CUI in HL7 V2, CDA, and FHIR.  This vocabulary could be used by healthcare exchange standards external to HL7 such as X12, NCPDP, and NIEM.

Additional pages providing more detail:

CUI Business Problem

Federal health agencies must evaluate their requirements for marking and managing Controlled Unclassified Information (CUI) – Executive Order 13556 and 32 CFR Part 2002

Review of applicable CUI Authorities listed in the NARA CUI Category List indicates that General Privacy and Health Information

Categories pertain to Federal HIE key lines of business for HIPAA Covered Transactions, and for HIPAA Authorized Disclosures.

The diagram below illustrates the applicable CUI related laws most important to HIE.


Controlled Unclassified Information (CUI) Problem and Solutions Diagram link


Key Federal healthcare CUI is disseminated with trading partners including:

  • Other Federal agencies
  • Non-executive branch agencies – judiciary, research, educational institutions
  • Health Oversight agencies
  • Contracted providers, payers, intermediaries
  • Private sector providers, payers, intermediaries, & HIEs

CUI Recipients of federal health CUI must manage persist, and enforce CUI security controls as well as apply marking to further disclosed CUI.

Interoperability Issue - CUI Chaos

If CUI markings on same HIE content differs, recipients will have difficulty discerning their security control requirements.

If each agency adopts a different CUI marking policy, then the burden on downstream HIE participants would increase exponentially.

Federal Agencies in collaboration with Sequoia are working towards a consensus policy for marking CUI to ensure that the burden on downstream HIE participants is minimized.

CUI Solutions

Easing CUI implementation is possible if agencies decide on a consensus CUI marking.

Adoption of standard HL7 CUI codes ensures interoperability across HL7 Version 2, CDA, and FHIR content using syntax specific security labeling.

Per NARA, CUI Program allows you to use any font size and color, just as long as the banner marking is in the header of the document and is readily apparent to the user.  

Relevant CUI Health and Privacy Authorities for HIE

The following authorities are included in CUI Category: General Privacy and CUI Category: Health Information

Info TypeCategoryBasic / SpecifiedAuthorityContextFederal  Agencies to which this appliesSafeguarding / Dissemination
PIIPRVCYSpecifiedOMB M-17-12Preparing for and addressing PII breach All Federal health agencies/contractors & HIPAA BA/cooperative agreement partiesDissemination
PIIPRVCYBasicOMB A130Managing PIIAll Federal health agencies/contractors & HIPAA BASafeguarding
IIHIHLTHSpecified42 USC 1320d-5HIPAA Statute Security Safeguards for IIHIAll Federal health agencies/contractors which are Covered Entities or BA
IIHIHLTHSpecified42 CFR 2.16(a)Part 2 Security of Substance Use Disorder RecordsFederal health agencies to which Part 2 applies (not VA?)
IIHIHLTHBasic42 CFR 2.1(a)Part 2 - Disclosure authorizationFederal health agencies to which Part 2 applies (not VA)
IIHIHLTHBasic42 CFR 2.1(f)Part 2 Substance Use Disorder ConfidentialityFederal health agencies to which Part 2 applies (not VA)Safeguarding / Dissemination
IIHIHLTHBasic42 CFR 2.12(a)Part 2 - Restrictions on disclosure.Federal health agencies to which Part 2 applies (not VA)
IIHIHLTHBasic42 CFR 2.13(c)Part  2 - Confidentiality restrictions and safeguards. (c) Acknowledging the presence of patients: Responding to requests. Federal health agencies to which Part 2 applies (not VA)
IIHIHLTHBasic42 CFR 2.2(a)Part 2 - Purpose and effect.Federal health agencies to which Part 2 applies (not VA)Safeguarding / Dissemination
IIHIHLTHBasic42 CFR 2.21(b)Part 2 - Research Privilege Confidentiality Federal health agencies to which Part 2 applies (not VA)
IIHIHLTHBasic38 USC 7332(a)Veterans ConfidentialityFederal health agencies to which 7332 applies
PHIHLTHBasic45 CFR 164.508(a)HIPAA Privacy Rule Uses and Disclosures for which an authorization is required.All Federal health agencies/contractors which are Covered Entities or BA
PHIHLTHBasic45 CFR 164.530(e)HIPAA Safeguards under Privacy RuleAll Federal health agencies/contractors which are Covered Entities or BA
PHIHLTHBasic45 CFR 164.502(a)HIPAA Privacy Rule Uses and disclosure of PHI without authorizationAll Federal health agencies/contractors which are Covered Entities or BA
PHIHLTHBasic45 CFR 164.310(a)(1)HIPAA Security Rule Physical SafeguardsAll Federal health agencies/contractors which are Covered Entities or BA
ePHIHLTHBasic45 CFR 164.306(a)HIPAA Security standards general rulesAll Federal health agencies/contractors which are Covered Entities or BA
  • No labels