NEWFree ROI Calculators — quantify what prior auth and siloed data are costing your organization.Prior Auth ROI Siloed Data ROI
HL7 v2Code Table6 min read

HL7 Table HL70272: Document Confidentiality Status

HL70272 is the HL7-defined vocabulary for the access-control sensitivity of a clinical document. It lives in TXA-18 Document Confidentiality Status and answers a deliberately blunt question: should this document be visible to every clinician with chart access, or held back for a smaller circle. The three values — U usual control, R restricted, V very restricted — are intentionally coarse because the table predates modern fine-grained access-control vocabularies and is meant to be combined with site-specific role definitions to make actual access decisions.

Purpose

HL70272 tags a document with its confidentiality tier so the receiving EHR can apply the right access rules. U (usual control) means the document obeys the system's default chart-access rules — anyone with access to the chart can see the note. R (restricted) is the bucket used for behavioral health, substance use, HIV, genetic counseling, and other categories that fall under sub-chapter privacy regimes (US 42 CFR Part 2, state-specific behavioral health statutes, EU national restrictions). V (very restricted) is the smallest circle — used for VIP records, employee health, and documents under explicit patient-directed restriction.

The codes do not themselves define who can see what — the receiving EHR's role-and-purpose-of-use rules do that. HL70272 only declares the tier the document belongs to, and downstream access-control engines key on that tier.

Where it's used

  • TXA-18 Document Confidentiality Status — the canonical home, present on every MDM^T01 through MDM^T11 message.

Code list

CodeDisplayComment/Description
RRestrictedSubject to a restriction beyond the chart default (behavioral health, 42 CFR Part 2, etc).
UUsual controlDefault chart-access rules apply; no extra restriction beyond the receiving system's baseline.
VVery restrictedSmallest visibility tier — VIP records, employee health, patient-directed restriction.

Code system OID

  • OID: 2.16.840.1.113883.18.118
  • Canonical URI: http://terminology.hl7.org/CodeSystem/v2-0272

The OID is what Vorro emits in CWE.14 when downstream profiles demand OID-bound coded TXA-18 values.

HL7-defined vs user-defined

HL70272 is HL7-defined, but the three values are widely understood to be insufficient for production access-control workflows. The modern approach is to populate TXA-18 with one of the three HL70272 buckets for backward compatibility, and carry a richer label (HL7 v3 Confidentiality, FHIR security labels, or a site-specific access policy identifier) in a parallel CWE field or as a DocumentReference.securityLabel when bridging to FHIR. Sites should not invent local two-letter values inside HL70272 — extensions almost always belong in a separate code system with its own OID.

Version differences

  • v2.3 — HL70272 introduced alongside the MDM family with the initial set: U, R, V. The three-value list has been stable since.
  • v2.4 – v2.8.1 — Unchanged.

This is one of the shortest and most stable HL7-defined tables; the access-control landscape has changed dramatically since v2.3, but the HL70272 codes have not.

Common mistakes

  • Treating an empty TXA-18 as equivalent to U. An empty field means "the sender did not say"; receivers should not silently fall back to usual control, which downgrades any document the sender forgot to label.
  • Defaulting every outbound document to R "to be safe". This breaks downstream workflows that route R documents through extra consent and disclosure tracking, and it floods the restricted-access queue with documents that never needed it.
  • Confusing R with V. R is the 42 CFR Part 2 / behavioral health tier; V is the smallest-circle tier (VIP, employee health). Mixing them collapses two distinct policy regimes onto one label.
  • Sending HL7 v3 Confidentiality codes (N, R, V, U) in TXA-18. The v3 U (unrestricted) and v2 U (usual control) have opposite meanings — U in v3 is the most permissive tier; U in v2 is the default tier. Crossing wires here causes silent confidentiality downgrades.
  • Treating HL70272 as a sufficient access-control signal. It is a hint to the receiving system's policy engine, not a complete policy — the actual decision needs role, purpose-of-use, break-glass status, and consent.

Examples

A standard discharge summary with usual chart-access:

TXA|1|DS|TX|202606101430|||||1234^SMITH^JOHN^A^^^MD|||||DOC-99821||AU|U|AV

A behavioral health consultation marked restricted:

TXA|1|PC|TX|202606101430|||||4567^JONES^MARY^B^^^MD|||||DOC-99822||LA|R|AV

The same R value translated to a FHIR DocumentReference.securityLabel snippet using the v3 Confidentiality code system:

{
  "resourceType": "DocumentReference",
  "securityLabel": [{
    "coding": [{
      "system": "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
      "code": "R",
      "display": "restricted"
    }]
  }]
}

Mapping failure example — v3 code in v2 field:

TXA|1|DS|TX|202606101430|||||1234^SMITH^JOHN^A^^^MD|||||DOC-99821||AU|N|AV

N is not in HL70272 — it is the HL7 v3 Normal code, which has been mis-routed into a v2 field. A conformant engine should quarantine the message rather than coerce N to U, because the v3 N and v2 U overlap but are not identical (v3 N excludes the "patient explicitly directed restriction" cases that v2 U would still cover under default rules).

FHIR mapping

The v2-to-FHIR IG does not publish a ConceptMap for this table; the mapping below follows the obvious correspondence, mapping each HL70272 code to the HL7 v3 Confidentiality value set used in DocumentReference.securityLabel:

HL7 v2 (HL70272)FHIR (v3 Confidentiality)
UN (normal)
RR (restricted)
VV (very restricted)

DocumentReference.securityLabel is a CodeableConcept typically populated from http://terminology.hl7.org/ValueSet/v3-Confidentiality. The v3 set has a fourth value U (unrestricted) that HL70272 cannot express — v2 senders that genuinely have unrestricted documents should send U (usual control) and rely on the receiver's default policy, or carry an additional label in a separate field.

Engine considerations

  • Single-character validation — TXA-18 codes are exactly one character; engines should reject longer payloads outright.
  • Case sensitivity — HL70272 codes are uppercase; lowercase r must be normalized or rejected.
  • Confidentiality cannot be silently downgraded — When a value fails validation, the safe default is not U. Engines should hold the document for curation rather than route it through default access rules.
  • CWE upgrade path — In v2.7+ profiles, TXA-18 may be transmitted as CWE rather than IS, allowing CWE.14 to carry 2.16.840.1.113883.18.118. Both shapes must be handled.

How Vorro handles HL70272

Vorro validates TXA-18 against the three HL70272 codes on ingest. Values that match pass through untouched. Values that fail validation — v3 codes mis-routed into a v2 field, lowercase variants, unknown extensions — are routed to a confidentiality-specific curation queue rather than the general terminology queue, because misclassifying a confidentiality label has higher downstream consequences than misclassifying a document type. Documents in that queue do not propagate to chart-visible channels until a human resolves the label.

On outbound, Vorro emits HL70272 as IS for v2.5 and earlier profiles and as CWE with CWE.14 populated for v2.7+ destinations. When a FHIR DocumentReference.securityLabel arrives upstream with a v3 Confidentiality code, Vorro maps to the closest HL70272 value but preserves the original v3 code in an audit field so the round-trip semantics are recoverable.

Sources

← Back to HL7 v2 Guide

Ready to Integrate This Into Your Workflow?

Talk to a Vorro expert about implementing HL7 v2 in your specific environment.

Browse HL7 v2 Guides
HL7 Table HL70272: Document Confidentiality Status | Vorro Academy | Vorro