{
  "package" : "hl7.terminology@6.3.0",
  "definition" : "A code representing an individual’s consent directive that complies with HIPAA Privacy rule 45 CFR Section 164.508 Uses and disclosures for which an authorization is required https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf, which is a US Federal law stipulating the policy elements of a valid authorization under this Section.\\r\\n\\r\\nAn “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.\\r\\n\\r\\nAn authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html\\r\\nA HIPAA Authorization must comply with 45 CFR Section164.508(c) Implementation specifications: Core elements and requirements – \\r\\n(1) Core elements. A valid authorization under this Section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. \\r\\n(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. \\r\\n(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. \\r\\n(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. \\r\\n(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. \\r\\n(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. \\r\\n(2)Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: \\r\\n(i) The individual's right to revoke the authorization in writing, and either: \\r\\n(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or (B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by Section 164.520, a reference to the covered entity's notice.\\r\\nhttps://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-508.pdf",
  "system" : "http://terminology.hl7.org/CodeSystem/v2-0717",
  "property" : [ {
    "_uri" : "http://terminology.hl7.org/CodeSystem/utg-concept-properties#v2-concComment",
    "code" : "v2-concComment",
    "valueString" : "Used to indicate the legal authority for assigning security labels to HIPAA governed information. In this case, where collection, access, use, or disclosure of healthcare information is governed by a an individual’s HIPAA Authorization for Disclosure, use “HIPAAAuthCD” as the security label policy code.\r\n\r\n Information governed under a HIPAA Authorization for Disclosure has the level of confidentiality protection afforded under the 45 CFR Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations https://www.gpo.gov/fdsys/pkg/CFR-2017-title45-vol1/pdf/CFR-2017-title45-vol1-sec164-506.pdf, which is considered the “norm”, assign the HL7 Confidentiality code “N” (normal)."
  }, {
    "_uri" : "http://terminology.hl7.org/CodeSystem/utg-concept-properties#status",
    "code" : "status",
    "valueCode" : "N"
  } ],
  "codesystem" : "3457fc57-7383-547c-91b7-0c6bcb13c117",
  "concept_id" : "aa99e65d-42e7-5dc1-b240-028cde4a2324",
  "ancestors" : {
    "HIPAAAuthCD" : 0
  },
  "id" : "71188de2-8744-40c0-9135-2cf82baf8028",
  "code" : "HIPAAAuthCD",
  "display" : "HIPAA Authorization Consent Directive",
  "version" : "2.0.0"
}