ShiftPrivacyExamples, published by SHIFT-Task-Force. This guide is not an authorized publication; it is the continuous build for version 0.0.1 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/SHIFT-Task-Force/demo-fhir-data/ and changes regularly. See the Directory of published versions

Security Labeling Services (SLS)

The SHIFT LEAP SLS GitHub focuses solely on:

• Inspecting FHIR Bundle entries (e.g., Condition, Observation, MedicationStatement)
• Matching codes against internal rule sets for sensitive categories
• Applying meta.security labels directly to those FHIR resources
• Add tagging attribution to the LEAP SLS
  • extension-sec-label-basis = v3-ActCode#42CFRPart2
  • extension-sec-label-classifier = "LEAP+ Security Labeling Service"

There is no logic in the codebase for:

• Creating Provenance resources linking labeling actions to agents or timestamps via FHIR
• Emitting audit trails or logs as FHIR resources

graph TD
  A[DocumentReference or Bundle] --> B[Code Analysis Engine]
  B --> C{Sensitive Topic Detected?}
  C -->|Yes| D[Apply meta.security Labels]
  C -->|No| E[No Labeling Needed]

  D --> F[Updated Resource with Labels]
  F --> G[Provenance]
  G --> H[Agent: NLP Engine]
  G --> I[Entity: Original Resource]

  F --> J[AuditEvent]
  J --> K[Who/What/When/Where]

• All Sensitive Codes
• Behavioral Health Codes (BH)
• Sexuality and Reproductive Health Codes (SEX)
• Substance Use Codes (SUD)
  • Opioid Abuse Codes (SUD+opiod)
  • Hallucinogen Codes (SUD+hallucinogen)

Note that "Normal" data are those that are none of these sensitive categories, otherwise known as "Medical" data.

Note the local codes are similar to those defined in this IG, but without the system specified

• local#hallucinogen "hallucinogen substance use"
• local#bh_substances "behavioural health related substances"
• local#opiod "opiod substance use"