Existing Wording: http://hl7.org/fhir/us/davinci-pas/2019SEP/profile-claimresponse-definitions.html#ClaimResponse.contained

Contained resources may have profiles and tags In their meta elements, but SHALL NOT have security labels.

Proposed Wording: If a PAS ClaimResponse Resource includes a contained resource assume that this information is specially protected information To avoid the risk of breach or unauthorized access, assign a security label to the PAS ClaimResponse with a confidentiality code "R" (restricted), a purpose of use code "TREAT" (treatment), and a refrain code "NODSCLCD" (no disclosure without consent directive). If a provider shares the provider's access token with a payer following the CDS Hooks protocol, the payer's Access Control System must prevent the payer from accessing any PAS Resource with this security label in order to avoid unauthorized access.

In the alternative, work with FHIR-I to develop a means for overriding dom-5: If a resource is contained in another resource, it SHALL NOT have a security label : contained.meta.security.empty() on all PAS Resources so that PAS Resource.contained elements can support meta-security.

The simplest fix is to remove the .contained element.

Comment:

A PAS extension on PAS ClaimResponse may include contained resources http://hl7.org/fhir/us/davinci-pas/2019SEP/profile-claimresponse-definitions.html#ClaimResponse.contained, which cannot support security labels, and which could be information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder that is governed under 42 CFR Part 2, and therefore raise substantial privacy and security issues.

Without the ability to label the contained resources, an automated security labeling service would not have requisite information to apply a Part 2 security label at the PAS ClaimResponse Resource Level.

As a result, the payer accessing this information using the provider's access token (via CDS-Hook), would not know that they needed authorization to access it. The provider that permitted the payer to use the provider's access token may be disclosing this information without consent because (1) under the CDS-Hook Resource Assess specification, the provider's Access Control System would not be able to check whether the patient had consented to disclose to the payer; and (2) even if an Access Control System were able to intermediate the access, there'd be no security label on the PAS ClaimResponse Resource indicating that it contained Part 2 information.

Summary:

All PAS Resources, include PAS Extension that use these Resources must be labeled to ensure that Access Control Systems can determine authorized access.