6.2 Resource Consent - Content

6.2.1 Scope and Usage

The purpose of this Resource is to be used to express a Consent regarding Healthcare. There are four anticipated uses for the Consent Resource, all of which are written or verbal agreements by a healthcare consumer [grantor] or a personal representative, made to an authorized entity [grantee] concerning authorized or restricted actions with any limitations on purpose of use, and handling instructions to which the authorized entity must comply:

• Privacy Consent Directive: Agreement to collect, access, use or disclose (share) information.
• Medical Treatment Consent Directive: Consent to undergo a specific treatment (or record of refusal to consent).
• Research Consent Directive: Consent to participate in research protocol and information sharing required.
Advance Care Directives: Consent to instructions for potentially needed medical treatment (e.g. DNR).

This resource is scoped to cover all four three uses, but at this time, only the privacy use case is modeled. fully modeled, others are being used but no formal modelling exists. The scope of the resource may change when the other possible scopes are investigated, tested, or profiled. HL7 is working on Advance Directives and would welcome participation by the community.

A FHIR Consent Directive instance is considered the encoded legally binding Consent Directive if it meets requirements of a policy domain requirements for an enforceable contract. In some domains, electronic signatures of one or both of the parties to the content of an encoded representation of a Consent Form is deemed to constitute a legally binding Consent Directive. Some domains accept a notary’s electronic signature over the wet or electronic signature of a party to the Consent Directive as the additional identity proofing required to make an encoded Consent Directive legally binding. Other domains may only accept a wet signature or might not require the parties’ signatures at all.

Whatever the criteria are for making an encoded FHIR Consent Directive legally binding, anything less than a legally binding representation of a Consent Directive must be identified as such, i.e., as a derivative of the legally binding Consent Directive, which has specific usage in Consent Directive workflow management.

Definitions:

6.2.1.1 Privacy Consent Directive (PCD)

Privacy policies define how Individually Identifiable Health Information (IIHI) is to be collected, accessed, used and disclosed. A Privacy Consent Directive as a legal record of a patient's (e.g. a healthcare consumer) agreement with a party responsible for enforcing the patient's choices, which permits or denies identified actors or roles to perform actions affecting the patient within a given context for specific purposes and periods of time. All consent directives have a policy context, which is any set of organizational or jurisdictional policies which may limit the consumer’s policy choices, and which include a named range of actions allowed. In addition, Privacy Consent Directives provide the ability for a healthcare consumer to delegate authority to a Substitute Decision Maker who may act on behalf of that individual. Alternatively, a consumer may author/publish their privacy preferences as a self-declared Privacy Consent Directive.

The Consent resource on FHIR provides support for alternative representations for expressing interoperable health information privacy consent directives in a standard form for the exchange and enforcement by sending, intermediating, or receiving systems of privacy policies that can be enforced by consuming systems (e.g., scanned documents, of computable structured entries elements, FHIR structures with optional attached, or referenced unstructured representations.) It may be used to represent the Privacy Consent Directive itself, a Consent Statement, which electronically represents a Consent Directive, or Consent Metadata, which is the minimum necessary consent content derived from a Consent Directive for use in workflow management.

6.2.2 Boundaries and Relationships

Consent management - particularly privacy consent - is complicated by the fact that consent to share is often itself necessary to protect. The need to protect the privacy of the privacy statement itself competes with the execution of the consent statement. For this reason, it is common to deal with 'consent statements' that are only partial representations of the full consent statement that the patient provided.

For this reason, the consent resource contains two elements that refer back to the source: a master identifier, and a direct reference to content from which this Consent Statement was derived. That reference can be one of several things:

• A reference to another consent resource from which this limited statement was derived
• A reference to a document format for the original source (e.g. PDF or CDA - see the HL7 CDAR2 ConsentDirective Implementation Guide , which incorporated the IHE Basic Patient Privacy Consents (BPPC) ), either directly, or in a reference
• The source can be included in the consent as an attachment

The consent statements represent a chain that refers back to the original source consent directive. Applications may be able to follow the chain back to the source but should not generally assume that they are authorized to do this.

Consent Directives are executed by verbal acknowledge acknowledgement or by being signed - either on paper, or digitally. Consent Signatures will be found in the Provenance resource (example consent and signature ). resource. Implementation Guides will generally make rules about what signatures are required, and how they are to be shared and used.

6.2.3 Background and Context

Change to "The The Consent resource is structured with a base policy (represented as Consent.policy/Consent.policyRule) which is either opt-in or opt-out, followed by a listing of exceptions to that policy (represented as Consent.provision(s)). The exceptions can be additional positive or negative exceptions upon the base policy. The set of exceptions include a list of data objects, list of authors, list of recipients, list of Organizations, list of purposeOfUse, and Date Range.

The enforcement of the Privacy Consent Directive is not included but is expected that enforcement can be done using a mix of the various Access Control enforcement methodologies (e.g. OAuth, UMA, XACML). This enforcement includes the details of the enforcement meaning of the elements of the Privacy Consent Directive, such as the rules in place when there is an opt-in consent would be specific about which organizational roles have access to what kinds of resources (e.g. RBAC, ABAC). The specification of these details is not in scope for the Consent resource.

• Structure
• UML
• XML
• JSON
• Turtle
• R3 Diff
• All

Structure

0..1

Name	Flags	Card.	Type	Description & Constraints
Consent	I TU		DomainResource	A healthcare consumer's or third party's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time + Rule: Either a Policy or PolicyRule + Rule: IF Scope=privacy, there must be a patient + Rule: IF Scope=research, there must be a patient + Rule: IF Scope=adr, Scope=treatment, there must be a patient + Rule: IF Scope=treatment, there must be a patient Scope=research, ResearchStudyContext allowed Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
identifier	Σ	0..*	Identifier	Identifier for this record (external references)
status	?! Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error | unknown ConsentState ( Required )
scope	?! Σ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Consent Scope Codes ( Extensible )
category	Σ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Consent Category Codes ( Extensible )
patient	Σ	0..1	Reference ( Patient )	Who the consent applies to
dateTime	Σ	0..1	dateTime	When this Consent consent was created or indexed agreed to
performer	Σ	0..*	Reference ( CareTeam | HealthcareService | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Who is agreeing to the policy and rules
organization	Σ	0..*	Reference ( Organization )	Custodian of the consent
source[x] sourceAttachment	Σ	0..1 0..*	Attachment	Source from which this consent is taken
sourceAttachment sourceReference		Attachment 0..*	sourceReference Reference ( Consent | DocumentReference | Contract | QuestionnaireResponse )	Source from which this consent is taken
policy		0..*	BackboneElement	Policies covered by this consent
authority	I	0..1	uri	Enforcement source for policy
uri	I	0..1	uri	Specific policy covered by this consent
policyRule	Σ I	0..1	CodeableConcept	Regulation that this consents to Consent PolicyRule Codes ( Extensible )
verification	Σ	0..*	BackboneElement	Consent Verified by patient or family
verified	Σ	1..1	boolean	Has been verified
verificationType		0..1	CodeableConcept	Business case of verification Consent Vefication Codes ( Extensible )
verifiedWith verifiedBy		0..1	Reference ( Organization | Practitioner | PractitionerRole )	Person conducting verification
verifiedWith		0..1	Reference ( Patient | RelatedPerson )	Person who verified
verificationDate		0..*	dateTime	When consent verified
provision	Σ	0..1	BackboneElement	Constraints to the base Consent.policyRule Consent.policyRule/Consent.policy
type	Σ	0..1	code	deny | permit ConsentProvisionType ( Required )
period	Σ	0..1	Period	Timeframe for this rule
actor		0..*	BackboneElement	Who|what controlled by this rule (or group, by role)
role		1..1	CodeableConcept	How the actor is involved SecurityRoleType ( Extensible )
reference		1..1	Reference ( Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Resource for the actor (or group, by role)
action	Σ	0..*	CodeableConcept	Actions controlled by this rule Consent Action Codes ( Example )
securityLabel	Σ	0..*	Coding	Security Labels that define affected resources SecurityLabels ( Extensible )
purpose	Σ	0..*	Coding	Context of activities covered by this rule V3 Value SetPurposeOfUse ( Extensible )
class	Σ	0..*	Coding	e.g. Resource Type, Profile, CDA, etc. Consent Content Class ( Extensible )
code	Σ	0..*	CodeableConcept	e.g. LOINC or SNOMED CT code, etc. in the content Consent Content Codes ( Example )
dataPeriod	Σ	0..1	Period	Timeframe for data controlled by this rule
data	Σ	0..*	BackboneElement	Data controlled by this rule
meaning	Σ	1..1	code	instance | related | dependents | authoredby ConsentDataMeaning ( Required )
reference	Σ	1..1	Reference ( Any )	The actual data reference
provision		0..*	see provision	Nested Exception Rules
Documentation for this format

<

<Consent xmlns="http://hl7.org/fhir"> 

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <identifier><!-- 0..* Identifier Identifier for this record (external references) --></identifier>
 <
 <</scope>

 <status value="[code]"/><!-- 1..1 draft | active | inactive | entered-in-error | unknown -->
 <scope><!-- 1..1 CodeableConcept Which of the four areas this resource covers (extensible) --></scope>

 <category><!-- 1..* CodeableConcept Classification of the consent statement - for indexing/retrieval --></category>
 <patient><!-- 0..1 Reference(Patient) Who the consent applies to --></patient>
 <
 <|
   </performer>

 <dateTime value="[dateTime]"/><!-- 0..1 When consent was agreed to -->
 <performer><!-- 0..* Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) Who is agreeing to the policy and rules --></performer>
 <organization><!-- 0..* Reference(Organization) Custodian of the consent --></organization>
 <|
   </source[x]>

 <sourceAttachment><!-- 0..* Attachment Source from which this consent is taken --></sourceAttachment>
 <sourceReference><!-- 0..* Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) Source from which this consent is taken --></sourceReference>
 <policy>  <!-- 0..* Policies covered by this consent -->
  <authority value="[uri]"/><!--  0..1 Enforcement source for policy -->
  <uri value="[uri]"/><!--  0..1 Specific policy covered by this consent -->
 </policy>
 <policyRule><!--  0..1 CodeableConcept Regulation that this consents to --></policyRule>
 <verification>  <!-- 0..* Consent Verified by patient or family -->
  <verified value="[boolean]"/><!-- 1..1 Has been verified -->
  <verificationType><!-- 0..1 CodeableConcept Business case of verification --></verificationType>
  <verifiedBy><!-- 0..1 Reference(Organization|Practitioner|PractitionerRole) Person conducting verification --></verifiedBy>

  <verifiedWith><!-- 0..1 Reference(Patient|RelatedPerson) Person who verified --></verifiedWith>
  <

  <verificationDate value="[dateTime]"/><!-- 0..* When consent verified -->

 </verification>
 <

 <provision>  <!-- 0..1 Constraints to the base Consent.policyRule/Consent.policy -->

  <type value="[code]"/><!-- 0..1 deny | permit -->
  <period><!-- 0..1 Period Timeframe for this rule --></period>
  <actor>  <!-- 0..* Who|what controlled by this rule (or group, by role) -->
   <role><!-- 1..1 CodeableConcept How the actor is involved --></role>
   <|
     </reference>

   <reference><!-- 1..1 Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) Resource for the actor (or group, by role) --></reference>
  </actor>
  <action><!-- 0..* CodeableConcept Actions controlled by this rule --></action>
  <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
  <purpose><!-- 0..* Coding Context of activities covered by this rule --></purpose>
  <class><!-- 0..* Coding e.g. Resource Type, Profile, CDA, etc. --></class>
  <code><!-- 0..* CodeableConcept e.g. LOINC or SNOMED CT code, etc. in the content --></code>
  <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this rule --></dataPeriod>
  <data>  <!-- 0..* Data controlled by this rule -->
   <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
   <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
  </data>
  <provision><!-- 0..* Content as for Consent.provision Nested Exception Rules --></provision>
 </provision>
</Consent>

{
  "resourceType" : "",

  "resourceType" : "Consent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "identifier" : [{ Identifier }], // Identifier for this record (external references)
  "
  "

  "status" : "<code>", // R!  draft | active | inactive | entered-in-error | unknown
  "scope" : { CodeableConcept }, // R!  Which of the four areas this resource covers (extensible)

  "category" : [{ CodeableConcept }], // R!  Classification of the consent statement - for indexing/retrieval
  "patient" : { Reference(Patient) }, // Who the consent applies to
  "
  "|
   

  "dateTime" : "<dateTime>", // When consent was agreed to
  "performer" : [{ Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) }], // Who is agreeing to the policy and rules
  "organization" : [{ Reference(Organization) }], // Custodian of the consent
  
  " },
  "|
    },

  "sourceAttachment" : [{ Attachment }], // Source from which this consent is taken
  "sourceReference" : [{ Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) }], // Source from which this consent is taken
  "policy" : [{ // Policies covered by this consent
    "authority" : "<uri>", // C? Enforcement source for policy
    "uri" : "<uri>" // C? Specific policy covered by this consent
  }],
  "policyRule" : { CodeableConcept }, // C? Regulation that this consents to
  "verification" : [{ // Consent Verified by patient or family
    "verified" : <boolean>, // R!  Has been verified
    "verificationType" : { CodeableConcept }, // Business case of verification
    "verifiedBy" : { Reference(Organization|Practitioner|PractitionerRole) }, // Person conducting verification

    "verifiedWith" : { Reference(Patient|RelatedPerson) }, // Person who verified
    "

    "verificationDate" : ["<dateTime>"] // When consent verified

  }],
  "

  "provision" : { // Constraints to the base Consent.policyRule/Consent.policy

    "type" : "<code>", // deny | permit
    "period" : { Period }, // Timeframe for this rule
    "actor" : [{ // Who|what controlled by this rule (or group, by role)
      "role" : { CodeableConcept }, // R!  How the actor is involved
      "|
     

      "reference" : { Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) } // R!  Resource for the actor (or group, by role)
    }],
    "action" : [{ CodeableConcept }], // Actions controlled by this rule
    "securityLabel" : [{ Coding }], // Security Labels that define affected resources
    "purpose" : [{ Coding }], // Context of activities covered by this rule
    "class" : [{ Coding }], // e.g. Resource Type, Profile, CDA, etc.
    "code" : [{ CodeableConcept }], // e.g. LOINC or SNOMED CT code, etc. in the content
    "dataPeriod" : { Period }, // Timeframe for data controlled by this rule
    "data" : [{ // Data controlled by this rule
      "meaning" : "<code>", // R!  instance | related | dependents | authoredby
      "reference" : { Reference(Any) } // R!  The actual data reference
    }],
    "provision" : [{ Content as for Consent.provision }] // Nested Exception Rules
  }
}

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:;

[ a fhir:Consent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:Consent.identifier [ Identifier ], ... ; # 0..* Identifier for this record (external references)
  fhir:
  fhir:

  fhir:Consent.status [ code ]; # 1..1 draft | active | inactive | entered-in-error | unknown
  fhir:Consent.scope [ CodeableConcept ]; # 1..1 Which of the four areas this resource covers (extensible)

  fhir:Consent.category [ CodeableConcept ], ... ; # 1..* Classification of the consent statement - for indexing/retrieval
  fhir:Consent.patient [ Reference(Patient) ]; # 0..1 Who the consent applies to
  fhir:
  fhir:

  fhir:Consent.dateTime [ dateTime ]; # 0..1 When consent was agreed to
  fhir:Consent.performer [ Reference(CareTeam|HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ], ... ; # 0..* Who is agreeing to the policy and rules
  fhir:Consent.organization [ Reference(Organization) ], ... ; # 0..* Custodian of the consent
  # . One of these 2
    fhir: ]
    fhir:) ]

  fhir:Consent.sourceAttachment [ Attachment ], ... ; # 0..* Source from which this consent is taken
  fhir:Consent.sourceReference [ Reference(Consent|Contract|DocumentReference|QuestionnaireResponse) ], ... ; # 0..* Source from which this consent is taken

  fhir:Consent.policy [ # 0..* Policies covered by this consent
    fhir:Consent.policy.authority [ uri ]; # 0..1 Enforcement source for policy
    fhir:Consent.policy.uri [ uri ]; # 0..1 Specific policy covered by this consent
  ], ...;
  fhir:Consent.policyRule [ CodeableConcept ]; # 0..1 Regulation that this consents to
  fhir:Consent.verification [ # 0..* Consent Verified by patient or family
    fhir:Consent.verification.verified [ boolean ]; # 1..1 Has been verified
    fhir:Consent.verification.verificationType [ CodeableConcept ]; # 0..1 Business case of verification
    fhir:Consent.verification.verifiedBy [ Reference(Organization|Practitioner|PractitionerRole) ]; # 0..1 Person conducting verification

    fhir:Consent.verification.verifiedWith [ Reference(Patient|RelatedPerson) ]; # 0..1 Person who verified
    fhir:

    fhir:Consent.verification.verificationDate [ dateTime ], ... ; # 0..* When consent verified

  ], ...;
  fhir:

  fhir:Consent.provision [ # 0..1 Constraints to the base Consent.policyRule/Consent.policy

    fhir:Consent.provision.type [ code ]; # 0..1 deny | permit
    fhir:Consent.provision.period [ Period ]; # 0..1 Timeframe for this rule
    fhir:Consent.provision.actor [ # 0..* Who|what controlled by this rule (or group, by role)
      fhir:Consent.provision.actor.role [ CodeableConcept ]; # 1..1 How the actor is involved
      fhir:|
  

      fhir:Consent.provision.actor.reference [ Reference(CareTeam|Device|Group|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ]; # 1..1 Resource for the actor (or group, by role)
    ], ...;
    fhir:Consent.provision.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this rule
    fhir:Consent.provision.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
    fhir:Consent.provision.purpose [ Coding ], ... ; # 0..* Context of activities covered by this rule
    fhir:Consent.provision.class [ Coding ], ... ; # 0..* e.g. Resource Type, Profile, CDA, etc.
    fhir:Consent.provision.code [ CodeableConcept ], ... ; # 0..* e.g. LOINC or SNOMED CT code, etc. in the content
    fhir:Consent.provision.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this rule
    fhir:Consent.provision.data [ # 0..* Data controlled by this rule
      fhir:Consent.provision.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
      fhir:Consent.provision.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
    ], ...;
    fhir:Consent.provision.provision [ See Consent.provision ], ... ; # 0..* Nested Exception Rules
  ];
]

Structure

0..1

Name	Flags	Card.	Type	Description & Constraints
Consent	I TU		DomainResource	A healthcare consumer's or third party's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time + Rule: Either a Policy or PolicyRule + Rule: IF Scope=privacy, there must be a patient + Rule: IF Scope=research, there must be a patient + Rule: IF Scope=adr, Scope=treatment, there must be a patient + Rule: IF Scope=treatment, there must be a patient Scope=research, ResearchStudyContext allowed Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
identifier	Σ	0..*	Identifier	Identifier for this record (external references)
status	?! Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error | unknown ConsentState ( Required )
scope	?! Σ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Consent Scope Codes ( Extensible )
category	Σ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Consent Category Codes ( Extensible )
patient	Σ	0..1	Reference ( Patient )	Who the consent applies to
dateTime	Σ	0..1	dateTime	When this Consent consent was created or indexed agreed to
performer	Σ	0..*	Reference ( CareTeam | HealthcareService | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Who is agreeing to the policy and rules
organization	Σ	0..*	Reference ( Organization )	Custodian of the consent
source[x] sourceAttachment	Σ	0..1 0..*	Attachment	Source from which this consent is taken
sourceAttachment sourceReference		Attachment 0..*	sourceReference Reference ( Consent | DocumentReference | Contract | QuestionnaireResponse )	Source from which this consent is taken
policy		0..*	BackboneElement	Policies covered by this consent
authority	I	0..1	uri	Enforcement source for policy
uri	I	0..1	uri	Specific policy covered by this consent
policyRule	Σ I	0..1	CodeableConcept	Regulation that this consents to Consent PolicyRule Codes ( Extensible )
verification	Σ	0..*	BackboneElement	Consent Verified by patient or family
verified	Σ	1..1	boolean	Has been verified
verificationType		0..1	CodeableConcept	Business case of verification Consent Vefication Codes ( Extensible )
verifiedWith verifiedBy		0..1	Reference ( Organization | Practitioner | PractitionerRole )	Person conducting verification
verifiedWith		0..1	Reference ( Patient | RelatedPerson )	Person who verified
verificationDate		0..*	dateTime	When consent verified
provision	Σ	0..1	BackboneElement	Constraints to the base Consent.policyRule Consent.policyRule/Consent.policy
type	Σ	0..1	code	deny | permit ConsentProvisionType ( Required )
period	Σ	0..1	Period	Timeframe for this rule
actor		0..*	BackboneElement	Who|what controlled by this rule (or group, by role)
role		1..1	CodeableConcept	How the actor is involved SecurityRoleType ( Extensible )
reference		1..1	Reference ( Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Resource for the actor (or group, by role)
action	Σ	0..*	CodeableConcept	Actions controlled by this rule Consent Action Codes ( Example )
securityLabel	Σ	0..*	Coding	Security Labels that define affected resources SecurityLabels ( Extensible )
purpose	Σ	0..*	Coding	Context of activities covered by this rule V3 Value SetPurposeOfUse ( Extensible )
class	Σ	0..*	Coding	e.g. Resource Type, Profile, CDA, etc. Consent Content Class ( Extensible )
code	Σ	0..*	CodeableConcept	e.g. LOINC or SNOMED CT code, etc. in the content Consent Content Codes ( Example )
dataPeriod	Σ	0..1	Period	Timeframe for data controlled by this rule
data	Σ	0..*	BackboneElement	Data controlled by this rule
meaning	Σ	1..1	code	instance | related | dependents | authoredby ConsentDataMeaning ( Required )
reference	Σ	1..1	Reference ( Any )	The actual data reference
provision		0..*	see provision	Nested Exception Rules
Documentation for this format

UML Diagram ( Legend )

XML Template

<

<Consent xmlns="http://hl7.org/fhir"> 

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <identifier><!-- 0..* Identifier Identifier for this record (external references) --></identifier>
 <
 <</scope>

 <status value="[code]"/><!-- 1..1 draft | active | inactive | entered-in-error | unknown -->
 <scope><!-- 1..1 CodeableConcept Which of the four areas this resource covers (extensible) --></scope>

 <category><!-- 1..* CodeableConcept Classification of the consent statement - for indexing/retrieval --></category>
 <patient><!-- 0..1 Reference(Patient) Who the consent applies to --></patient>
 <
 <|
   </performer>

 <dateTime value="[dateTime]"/><!-- 0..1 When consent was agreed to -->
 <performer><!-- 0..* Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) Who is agreeing to the policy and rules --></performer>
 <organization><!-- 0..* Reference(Organization) Custodian of the consent --></organization>
 <|
   </source[x]>

 <sourceAttachment><!-- 0..* Attachment Source from which this consent is taken --></sourceAttachment>
 <sourceReference><!-- 0..* Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) Source from which this consent is taken --></sourceReference>
 <policy>  <!-- 0..* Policies covered by this consent -->
  <authority value="[uri]"/><!--  0..1 Enforcement source for policy -->
  <uri value="[uri]"/><!--  0..1 Specific policy covered by this consent -->
 </policy>
 <policyRule><!--  0..1 CodeableConcept Regulation that this consents to --></policyRule>
 <verification>  <!-- 0..* Consent Verified by patient or family -->
  <verified value="[boolean]"/><!-- 1..1 Has been verified -->
  <verificationType><!-- 0..1 CodeableConcept Business case of verification --></verificationType>
  <verifiedBy><!-- 0..1 Reference(Organization|Practitioner|PractitionerRole) Person conducting verification --></verifiedBy>

  <verifiedWith><!-- 0..1 Reference(Patient|RelatedPerson) Person who verified --></verifiedWith>
  <

  <verificationDate value="[dateTime]"/><!-- 0..* When consent verified -->

 </verification>
 <

 <provision>  <!-- 0..1 Constraints to the base Consent.policyRule/Consent.policy -->

  <type value="[code]"/><!-- 0..1 deny | permit -->
  <period><!-- 0..1 Period Timeframe for this rule --></period>
  <actor>  <!-- 0..* Who|what controlled by this rule (or group, by role) -->
   <role><!-- 1..1 CodeableConcept How the actor is involved --></role>
   <|
     </reference>

   <reference><!-- 1..1 Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) Resource for the actor (or group, by role) --></reference>
  </actor>
  <action><!-- 0..* CodeableConcept Actions controlled by this rule --></action>
  <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
  <purpose><!-- 0..* Coding Context of activities covered by this rule --></purpose>
  <class><!-- 0..* Coding e.g. Resource Type, Profile, CDA, etc. --></class>
  <code><!-- 0..* CodeableConcept e.g. LOINC or SNOMED CT code, etc. in the content --></code>
  <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this rule --></dataPeriod>
  <data>  <!-- 0..* Data controlled by this rule -->
   <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
   <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
  </data>
  <provision><!-- 0..* Content as for Consent.provision Nested Exception Rules --></provision>
 </provision>
</Consent>

JSON Template

{
  "resourceType" : "",

  "resourceType" : "Consent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "identifier" : [{ Identifier }], // Identifier for this record (external references)
  "
  "

  "status" : "<code>", // R!  draft | active | inactive | entered-in-error | unknown
  "scope" : { CodeableConcept }, // R!  Which of the four areas this resource covers (extensible)

  "category" : [{ CodeableConcept }], // R!  Classification of the consent statement - for indexing/retrieval
  "patient" : { Reference(Patient) }, // Who the consent applies to
  "
  "|
   

  "dateTime" : "<dateTime>", // When consent was agreed to
  "performer" : [{ Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) }], // Who is agreeing to the policy and rules
  "organization" : [{ Reference(Organization) }], // Custodian of the consent
  
  " },
  "|
    },

  "sourceAttachment" : [{ Attachment }], // Source from which this consent is taken
  "sourceReference" : [{ Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) }], // Source from which this consent is taken
  "policy" : [{ // Policies covered by this consent
    "authority" : "<uri>", // C? Enforcement source for policy
    "uri" : "<uri>" // C? Specific policy covered by this consent
  }],
  "policyRule" : { CodeableConcept }, // C? Regulation that this consents to
  "verification" : [{ // Consent Verified by patient or family
    "verified" : <boolean>, // R!  Has been verified
    "verificationType" : { CodeableConcept }, // Business case of verification
    "verifiedBy" : { Reference(Organization|Practitioner|PractitionerRole) }, // Person conducting verification

    "verifiedWith" : { Reference(Patient|RelatedPerson) }, // Person who verified
    "

    "verificationDate" : ["<dateTime>"] // When consent verified

  }],
  "

  "provision" : { // Constraints to the base Consent.policyRule/Consent.policy

    "type" : "<code>", // deny | permit
    "period" : { Period }, // Timeframe for this rule
    "actor" : [{ // Who|what controlled by this rule (or group, by role)
      "role" : { CodeableConcept }, // R!  How the actor is involved
      "|
     

      "reference" : { Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) } // R!  Resource for the actor (or group, by role)
    }],
    "action" : [{ CodeableConcept }], // Actions controlled by this rule
    "securityLabel" : [{ Coding }], // Security Labels that define affected resources
    "purpose" : [{ Coding }], // Context of activities covered by this rule
    "class" : [{ Coding }], // e.g. Resource Type, Profile, CDA, etc.
    "code" : [{ CodeableConcept }], // e.g. LOINC or SNOMED CT code, etc. in the content
    "dataPeriod" : { Period }, // Timeframe for data controlled by this rule
    "data" : [{ // Data controlled by this rule
      "meaning" : "<code>", // R!  instance | related | dependents | authoredby
      "reference" : { Reference(Any) } // R!  The actual data reference
    }],
    "provision" : [{ Content as for Consent.provision }] // Nested Exception Rules
  }
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:;

[ a fhir:Consent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:Consent.identifier [ Identifier ], ... ; # 0..* Identifier for this record (external references)
  fhir:
  fhir:

  fhir:Consent.status [ code ]; # 1..1 draft | active | inactive | entered-in-error | unknown
  fhir:Consent.scope [ CodeableConcept ]; # 1..1 Which of the four areas this resource covers (extensible)

  fhir:Consent.category [ CodeableConcept ], ... ; # 1..* Classification of the consent statement - for indexing/retrieval
  fhir:Consent.patient [ Reference(Patient) ]; # 0..1 Who the consent applies to
  fhir:
  fhir:

  fhir:Consent.dateTime [ dateTime ]; # 0..1 When consent was agreed to
  fhir:Consent.performer [ Reference(CareTeam|HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ], ... ; # 0..* Who is agreeing to the policy and rules
  fhir:Consent.organization [ Reference(Organization) ], ... ; # 0..* Custodian of the consent
  # . One of these 2
    fhir: ]
    fhir:) ]

  fhir:Consent.sourceAttachment [ Attachment ], ... ; # 0..* Source from which this consent is taken
  fhir:Consent.sourceReference [ Reference(Consent|Contract|DocumentReference|QuestionnaireResponse) ], ... ; # 0..* Source from which this consent is taken

  fhir:Consent.policy [ # 0..* Policies covered by this consent
    fhir:Consent.policy.authority [ uri ]; # 0..1 Enforcement source for policy
    fhir:Consent.policy.uri [ uri ]; # 0..1 Specific policy covered by this consent
  ], ...;
  fhir:Consent.policyRule [ CodeableConcept ]; # 0..1 Regulation that this consents to
  fhir:Consent.verification [ # 0..* Consent Verified by patient or family
    fhir:Consent.verification.verified [ boolean ]; # 1..1 Has been verified
    fhir:Consent.verification.verificationType [ CodeableConcept ]; # 0..1 Business case of verification
    fhir:Consent.verification.verifiedBy [ Reference(Organization|Practitioner|PractitionerRole) ]; # 0..1 Person conducting verification

    fhir:Consent.verification.verifiedWith [ Reference(Patient|RelatedPerson) ]; # 0..1 Person who verified
    fhir:

    fhir:Consent.verification.verificationDate [ dateTime ], ... ; # 0..* When consent verified

  ], ...;
  fhir:

  fhir:Consent.provision [ # 0..1 Constraints to the base Consent.policyRule/Consent.policy

    fhir:Consent.provision.type [ code ]; # 0..1 deny | permit
    fhir:Consent.provision.period [ Period ]; # 0..1 Timeframe for this rule
    fhir:Consent.provision.actor [ # 0..* Who|what controlled by this rule (or group, by role)
      fhir:Consent.provision.actor.role [ CodeableConcept ]; # 1..1 How the actor is involved
      fhir:|
  

      fhir:Consent.provision.actor.reference [ Reference(CareTeam|Device|Group|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ]; # 1..1 Resource for the actor (or group, by role)
    ], ...;
    fhir:Consent.provision.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this rule
    fhir:Consent.provision.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
    fhir:Consent.provision.purpose [ Coding ], ... ; # 0..* Context of activities covered by this rule
    fhir:Consent.provision.class [ Coding ], ... ; # 0..* e.g. Resource Type, Profile, CDA, etc.
    fhir:Consent.provision.code [ CodeableConcept ], ... ; # 0..* e.g. LOINC or SNOMED CT code, etc. in the content
    fhir:Consent.provision.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this rule
    fhir:Consent.provision.data [ # 0..* Data controlled by this rule
      fhir:Consent.provision.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
      fhir:Consent.provision.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
    ], ...;
    fhir:Consent.provision.provision [ See Consent.provision ], ... ; # 0..* Nested Exception Rules
  ];
]

Changes since Release 3

Consent
Consent.identifier Max Cardinality changed from 1 to * Consent.status	Change value set from http://hl7.org/fhir/ValueSet/consent-state-codes to http://hl7.org/fhir/ValueSet/consent-state-codes|4.0.1 Consent.scope Added Mandatory Element Consent.category Min Cardinality changed from 0 http://hl7.org/fhir/ValueSet/consent-state-codes|4.0.0 to 1 Add Binding http://hl7.org/fhir/ValueSet/consent-category (extensible) http://hl7.org/fhir/ValueSet/consent-state-codes|4.2.0
Consent.patient Min Cardinality changed from 1 to 0 Consent.performer	Added Element Consent.source[x] Remove Type Identifier Consent.policyRule Type changed from uri to CodeableConcept Add Binding http://hl7.org/fhir/ValueSet/consent-policy (extensible) Consent.verification Added Element Consent.verification.verified Added Mandatory Element Consent.verification.verifiedWith Added Element Consent.verification.verificationDate Added Element Consent.provision Added Element Consent.provision.type Added Element Consent.provision.period Added Element Consent.provision.actor Added Element Consent.provision.actor.role Added Mandatory Element Consent.provision.actor.reference Added Mandatory Element Consent.provision.action Reference: Added Element Target Types CareTeam, HealthcareService
Consent.provision.securityLabel Consent.sourceAttachment	Added Element
Consent.provision.purpose Consent.sourceReference	Added Element
Consent.provision.class Consent.verification.verificationType	Added Element
Consent.provision.code Consent.verification.verifiedBy	Added Element
Consent.provision.dataPeriod Consent.verification.verificationDate	Added Element Max Cardinality changed from 1 to *
Consent.provision.data Consent.provision.type	Added Element Change value set from http://hl7.org/fhir/ValueSet/consent-provision-type|4.0.0 to http://hl7.org/fhir/ValueSet/consent-provision-type|4.2.0
Consent.provision.data.meaning	Added Mandatory Element Consent.provision.data.reference Added Mandatory Element Consent.provision.provision Added Element Consent.period deleted Consent.consentingParty deleted Consent.actor deleted Consent.action deleted Consent.securityLabel deleted Consent.purpose deleted Consent.dataPeriod deleted Consent.data deleted Change value set from http://hl7.org/fhir/ValueSet/consent-data-meaning|4.0.0 to http://hl7.org/fhir/ValueSet/consent-data-meaning|4.2.0
Consent.except Consent.source[x]	deleted

See the Full Difference for further information

This analysis is available as XML or JSON .

See R3 <--> R4 Conversion Maps (status = 12 tests that all execute ok. All tests pass round-trip testing and 12 r3 resources are invalid (0 errors). )

6.2.6 Policies

The Consent resource has a reference to a single policyRule . Many organizations will work in a context where multiple different consent regulations and policies apply. In these cases, the single policy rule reference refers to a policy document that resolves and reconciles the various policies and presents a single policy for patient consent. If it is still necessary to track which of the underlying policies an exception is make in regard to, the policy may be used.

6.2.7 General Model

The following is the general model of Privacy Consent Directives.

There are context setting parameters:

1. Who - The patient or third-party grantor
2. What - The data - specific resources are listed, empty list means all data covered by the consent.
3. Where Required - The domain and authority - what is the location boundary and authority boundary of this consent policy domain.
4. Where Accountability Lies - The organization or performer
5. When - The date issued or captured
6. When - The timeframe for which the Consent applies
7. How - The actions covered. (such as purposes of use that are covered)
8. Whom - The recipient actor are grantees by the consent.

A Privacy Consent may transition through many states including: that no consent has been sought, consent has been proposed, consent has been rejected, and consent approved.

There are set of patterns.

1. No consent: All settings need a policy for when no consent has been captured. Often this allows treatment only.;
2. Opt-out: No sharing allowed for the specified domain, location, actions, and purposes ; purposes;
3. Opt-out with exceptions: No sharing allowed, with some exceptions where it is allowed. Example: Withhold Authorization for Treatment except for Emergency Treatment ; Treatment;
4. Opt-in: Sharing for some purpose of use is authorized Sharing allowed for Treatment, Payment, and normal Operations ; Operations; and
5. Opt-in with restrictions: Sharing allowed, but the patient may make exceptions (See the Canadian examples). exceptions.

For each of these patterns (positive or negative pattern), there can be exceptions. These exceptions are explicitly recorded in the except element.

6.2.7.1 6.2.8 US Realm Sample Use-Cases Optimal Searching

Five categories of Privacy Consent Directives are described in the Office of The following steps represent the National Coordinator optimal path for Health Information (ONC) Consent Directives Document released March 31, 2010, and include the following US-specific "Core consent options" searching for electronic exchange: a Consent resource.

1. No consent: Health information of patients is automatically included—patients cannot opt out; Opt-out: Default is for health information of patients to be included automatically, but the patient can opt out completely ; Opt-out with exceptions: Default is for health information of patients to be included, but the patient can opt out completely Request one or allow only select data to be included; Opt-in: Default is that no patient health information is included; patients must actively express consent to be included, but more Consent where status=active by Consent.scope (with patient(s), if they do so then their information must be all in or all out; and Opt-in with restrictions: Default is that no patient health information is made available, but the patient may allow a subset of select data to be included. A common exception is none specified, get all). Policy will decide how to explicitly exclude or explicitly include a period of time . 6.2.7.2 Canada Realm Sample Use-Cases The following scenarios are based on existing jurisdictional policy and are realized in existing systems in Canada. The default policy is one of implied consent for the provision of care, so these scenarios all deal with withdrawal or withholding consent for that purpose. In other jurisdictions, where an express consent model is used (Opt-In), these examples would contain the phrase "consent to" rather than "withhold" or "withdraw" consent for. Withhold or withdraw consent for disclosure of records related multiple per patient and how to specific domain (e.g. DI, LAB, etc.) iterate through (e.g., select most recent).
2. Withhold or withdraw consent Locally inspect Consent.provision for disclosure of a specific record (e.g. Lab Order/Result) base policy acceptance/denial with Consent.policyRule
3. Withhold or withdraw consent for disclosure If policyRule not understandable, refer to a specific provider organization Privacy Office
4. Withhold or withdraw consent Locally inspect Consent.provision for disclosure to a specific provider agent (an individual within an organization) contexts (e.g., provision.purpose, provision.actor, etc.) as above
5. Withhold or withdraw consent Inspect Consent.provision.provision (et.al) for disclosure of records that were authored by a specific organization (or service delivery location). Combinations of the above exceptions