Restricted Data

There are some types of data within the Designated Record Set that are restricted from being shared with other providers with a treatment relationship. Builders may tag individual pieces of data using restricted labels, or take advantage of Zus's intelligent approach to automatically tagging specially-regulated data. Patients that choose to opt out of sharing altogether may elect to do so by filling out a form.

Restricted Labels

Restricted resources in Zus are those that have a FHIR security label with a confidentiality code of โ€œRโ€ for โ€œRestrictedโ€ or โ€œVโ€ for โ€œVery Restricted.โ€

Restricted tag example:

"meta": {
    "security": [
        {
            "system": "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
            "code": "R",	
            "display": "Restricted"
        }
    ]
}

Any resources tagged as restricted in this way CANNOT be seen by other Builders, even if these Builders have a relationship with your patient. Users and app clients are permitted to view restricted resources if these resources are owned by their Builder or are owned by a Builder that has granted them cross-builder access.

Specially-regulated data

Zus uses the term "specially regulated data" to refer to that subset of PHI that may require specific patient consent in order to be shared among providers (e.g., HIV status, psychotherapy notes, substance use, mental health facility information). Data may be specially regulated at the US state level and/or at the federal level.

Data related to HIV status

Zus proactively labels all resources that may contain data relating to an HIV test, diagnosis, or medication, including data ingested from our data partners. We evaluate and label the following resource types:

  • Condition
  • MedicationRequest
  • MedicationStatement
  • MedicationDispense
  • MedicationAdministration
  • Observation
  • DiagnosticReport
  • Procedure

The Zus platform will apply the following HIV label to all resources that meet our evaluation criteria. In addition, HIV-labeled resources that are written by builders will automatically receive the Restricted label and be withheld from responses to CommonWell and Carequality.

"meta": {
    "security": [
        {
          system: "https://zusapi.com/speciallyregulated",
          code:   "HIV"
        }
    ]
}

Other categories of specially regulated data

There are three other categories of specially regulated data that Zus does not automatically tag, but can support:

  1. Psychotherapy notes: This regulation refers to the personal notes of a therapist or counselor. These are separate from the core clinical record (EHR). Customers creating such notes and writing them to the ZAP should take care to tag them with the "R" tag appropriately.
  2. Mental health facility: Certain state laws prohibit sharing records created by a mental health facility. Zus will evaluate if a customer qualifies as a โ€œmental health facilityโ€ as part of sales due diligence, and restrict from sharing accordingly.
  3. Substance use facility: Provider organizations that are part of Part 2 Covered Programs should not have any data shared without special consent. Zus will evaluate if a customer qualifies as a โ€œPart 2 Covered Programsโ€ as part of sales due diligence, and restrict from sharing.