HL70272 is the HL7-defined vocabulary for the access-control sensitivity of a clinical document. It lives in TXA-18 Document Confidentiality Status and answers a deliberately blunt question: should this document be visible to every clinician with chart access, or held back for a smaller circle. The three values — U usual control, R restricted, V very restricted — are intentionally coarse because the table predates modern fine-grained access-control vocabularies and is meant to be combined with site-specific role definitions to make actual access decisions.
Purpose
HL70272 tags a document with its confidentiality tier so the receiving EHR can apply the right access rules. U (usual control) means the document obeys the system's default chart-access rules — anyone with access to the chart can see the note. R (restricted) is the bucket used for behavioral health, substance use, HIV, genetic counseling, and other categories that fall under sub-chapter privacy regimes (US 42 CFR Part 2, state-specific behavioral health statutes, EU national restrictions). V (very restricted) is the smallest circle — used for VIP records, employee health, and documents under explicit patient-directed restriction.
The codes do not themselves define who can see what — the receiving EHR's role-and-purpose-of-use rules do that. HL70272 only declares the tier the document belongs to, and downstream access-control engines key on that tier.
Where it's used
- TXA-18 Document Confidentiality Status — the canonical home, present on every MDM^T01 through MDM^T11 message.
Code list
| Code | Display | Comment/Description |
|---|---|---|
| R | Restricted | Subject to a restriction beyond the chart default (behavioral health, 42 CFR Part 2, etc). |
| U | Usual control | Default chart-access rules apply; no extra restriction beyond the receiving system's baseline. |
| V | Very restricted | Smallest visibility tier — VIP records, employee health, patient-directed restriction. |
Code system OID
- OID:
2.16.840.1.113883.18.118 - Canonical URI:
http://terminology.hl7.org/CodeSystem/v2-0272
The OID is what Vorro emits in CWE.14 when downstream profiles demand OID-bound coded TXA-18 values.
HL7-defined vs user-defined
HL70272 is HL7-defined, but the three values are widely understood to be insufficient for production access-control workflows. The modern approach is to populate TXA-18 with one of the three HL70272 buckets for backward compatibility, and carry a richer label (HL7 v3 Confidentiality, FHIR security labels, or a site-specific access policy identifier) in a parallel CWE field or as a DocumentReference.securityLabel when bridging to FHIR. Sites should not invent local two-letter values inside HL70272 — extensions almost always belong in a separate code system with its own OID.
Version differences
- v2.3 — HL70272 introduced alongside the MDM family with the initial set:
U,R,V. The three-value list has been stable since. - v2.4 – v2.8.1 — Unchanged.
This is one of the shortest and most stable HL7-defined tables; the access-control landscape has changed dramatically since v2.3, but the HL70272 codes have not.
Common mistakes
- Treating an empty TXA-18 as equivalent to
U. An empty field means "the sender did not say"; receivers should not silently fall back to usual control, which downgrades any document the sender forgot to label. - Defaulting every outbound document to
R"to be safe". This breaks downstream workflows that routeRdocuments through extra consent and disclosure tracking, and it floods the restricted-access queue with documents that never needed it. - Confusing
RwithV.Ris the 42 CFR Part 2 / behavioral health tier;Vis the smallest-circle tier (VIP, employee health). Mixing them collapses two distinct policy regimes onto one label. - Sending HL7 v3 Confidentiality codes (
N,R,V,U) in TXA-18. The v3U(unrestricted) and v2U(usual control) have opposite meanings —Uin v3 is the most permissive tier;Uin v2 is the default tier. Crossing wires here causes silent confidentiality downgrades. - Treating HL70272 as a sufficient access-control signal. It is a hint to the receiving system's policy engine, not a complete policy — the actual decision needs role, purpose-of-use, break-glass status, and consent.
Examples
A standard discharge summary with usual chart-access:
TXA|1|DS|TX|202606101430|||||1234^SMITH^JOHN^A^^^MD|||||DOC-99821||AU|U|AV
A behavioral health consultation marked restricted:
TXA|1|PC|TX|202606101430|||||4567^JONES^MARY^B^^^MD|||||DOC-99822||LA|R|AV
The same R value translated to a FHIR DocumentReference.securityLabel snippet using the v3 Confidentiality code system:
{
"resourceType": "DocumentReference",
"securityLabel": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
"code": "R",
"display": "restricted"
}]
}]
}
Mapping failure example — v3 code in v2 field:
TXA|1|DS|TX|202606101430|||||1234^SMITH^JOHN^A^^^MD|||||DOC-99821||AU|N|AV
N is not in HL70272 — it is the HL7 v3 Normal code, which has been mis-routed into a v2 field. A conformant engine should quarantine the message rather than coerce N to U, because the v3 N and v2 U overlap but are not identical (v3 N excludes the "patient explicitly directed restriction" cases that v2 U would still cover under default rules).
FHIR mapping
The v2-to-FHIR IG does not publish a ConceptMap for this table; the mapping below follows the obvious correspondence, mapping each HL70272 code to the HL7 v3 Confidentiality value set used in DocumentReference.securityLabel:
| HL7 v2 (HL70272) | FHIR (v3 Confidentiality) |
|---|---|
| U | N (normal) |
| R | R (restricted) |
| V | V (very restricted) |
DocumentReference.securityLabel is a CodeableConcept typically populated from http://terminology.hl7.org/ValueSet/v3-Confidentiality. The v3 set has a fourth value U (unrestricted) that HL70272 cannot express — v2 senders that genuinely have unrestricted documents should send U (usual control) and rely on the receiver's default policy, or carry an additional label in a separate field.
Engine considerations
- Single-character validation — TXA-18 codes are exactly one character; engines should reject longer payloads outright.
- Case sensitivity — HL70272 codes are uppercase; lowercase
rmust be normalized or rejected. - Confidentiality cannot be silently downgraded — When a value fails validation, the safe default is not
U. Engines should hold the document for curation rather than route it through default access rules. - CWE upgrade path — In v2.7+ profiles, TXA-18 may be transmitted as CWE rather than IS, allowing CWE.14 to carry
2.16.840.1.113883.18.118. Both shapes must be handled.
How Vorro handles HL70272
Vorro validates TXA-18 against the three HL70272 codes on ingest. Values that match pass through untouched. Values that fail validation — v3 codes mis-routed into a v2 field, lowercase variants, unknown extensions — are routed to a confidentiality-specific curation queue rather than the general terminology queue, because misclassifying a confidentiality label has higher downstream consequences than misclassifying a document type. Documents in that queue do not propagate to chart-visible channels until a human resolves the label.
On outbound, Vorro emits HL70272 as IS for v2.5 and earlier profiles and as CWE with CWE.14 populated for v2.7+ destinations. When a FHIR DocumentReference.securityLabel arrives upstream with a v3 Confidentiality code, Vorro maps to the closest HL70272 value but preserves the original v3 code in an audit field so the round-trip semantics are recoverable.
Related pages
- TXA segment — Transcription Document Header
- HL70270 code table — Document Type
- HL70271 code table — Document Completion Status
