{
  "package" : "hl7.terminology@6.3.0",
  "definition" : "A code representing U.S. Public Law 104-191 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule 45 CFR Section 164.524 Access of individuals to protected health information https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-524.pdf, stipulating the policy elements of an individual's written and signed right of access directive requesting that a covered entity send the individual's protected health information (PHI) to a third party.\\r\\n\\r\\nSee 45 CFR 164.524(c)(3)(ii) If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-524.pdf\\r\\n\\r\\nThis right applies to PHI in a designated record set, which is defined as \\\"Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. \\\\[https://www.law.cornell.edu/cfr/text/45/164.501\\\\]. Also see HHS Individuals' Right under HIPAA to Access their Health Information 45 CFR Section 164.524 \\\\[https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html\\\\#maximumflatfee\\\\].\\r\\n\\r\\n*Usage Note:* Used to indicate the legal authority for assigning security labels to governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by an individual's right of access directive under 45 CFR Section 164.524 use \\\"HIPAAROAD\\\" as the security label policy code.\\r\\n\\r\\nInformation disclosed under a HIPAA 42 CFR Section 164.524 no longer has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which is considered the \\\"norm\\\", assign the HL7 Confidentiality code \\\"M\\\" (moderate), which may be protected under other laws such as the Federal Trade Commission privacy and security regulations.",
  "system" : "http://terminology.hl7.org/CodeSystem/v3-ActCode",
  "property" : [ {
    "_uri" : "http://hl7.org/fhir/concept-properties#status",
    "code" : "status",
    "valueCode" : "active"
  }, {
    "_uri" : "http://terminology.hl7.org/CodeSystem/utg-concept-properties#v3-internal-id",
    "code" : "internalId",
    "valueCode" : "24103"
  }, {
    "_uri" : "http://hl7.org/fhir/concept-properties#parent",
    "code" : "subsumedBy",
    "valueCode" : "_ActUSPrivacyConsentDirective"
  } ],
  "codesystem" : "638964c5-6f49-5686-925e-fad50ec626e9",
  "concept_id" : "2e778cfc-3d20-5286-8957-103c0659bbf0",
  "ancestors" : {
    "HIPAAROAD" : 0,
    "_ActConsent" : 3,
    "_ActPolicyType" : 4,
    "_ActPrivacyConsentDirective" : 2,
    "_ActUSPrivacyConsentDirective" : 1
  },
  "id" : "08e2b6ed-7fe9-4c32-b251-cefdef10cff0",
  "code" : "HIPAAROAD",
  "display" : "HIPAA Right of Access Directive",
  "version" : "9.0.0"
}