Yes, we probably need a common section, as this and a few other rules filter what patients see a bit. This is consistent across resources (eg: for comments that aren't related to instructions to the patient, none of the resources will contain those details when the patient accesses the data). Those are relatively easy to describe.
There are also scenarios in which privacy takes a part along with legal rules and can limit fields. EG: for adolescents, when accessed by a proxy (eg: parent) there are legal rules that dictate that the proxy cannot see some "sensitive" information. These types of rules would be hard to describe specifically as there are different laws and regulations in different countries, regions, and states/provinces. However, we should call out that it can vary.