Existing Wording: In addition, the server SHALL produce an additional 275 message whose binary segment contains a base64-encoded copy of the entire FHIR Bundle resource. This serves two purposes - it provides full audit traceability for the payer and it also allows the payer to directly process the FHIR content, potentially extracting elements not present in the X12 messages if needed. (Note: there is no requirement that payers take any such action.)

Proposed Wording: When disclosing a PAS Bundle with Claim and required Resources, the provider may have labeled those Resources with privacy tags per policy such as CUI, or Part 2 restricted confidentiality, specific purposes of use for which the disclosed information may be used, an obligation to persist the label, and a prohibition against redisclosure without consent. X12 N 278 does not support security labels. Therefore, if the payer is required to comply with the policy represented by a security label, the payer must extract the security label and maintain the association of the label with the labeled content.

Comment:

Regardless of the ability of ASC X12N 278 to support security labels, if the payer is required to comply with a label, the payer must have the ability to extract the label. If required to enforce the label tags, then the payer's Access Control System must have the ability to read the labels and make decisions about what end users are authorized to do with the labeled information.

An alternative approach is or HL7 to work with X12N to add security labels to X12N 278/275, and other HIPAA X12N IGs as well.

Summary:

If the payer is required to comply with a label, the payer must have the ability to extract the label.