6.2 Resource Consent - Content

6.2.1 Scope and Usage

The purpose of this Resource is to be used to express a Consent regarding Healthcare. There are four anticipated uses for the Consent Resource, all of which are written or verbal agreements by a healthcare consumer [grantor] or a personal representative, made to an authorized entity [grantee] concerning authorized or restricted actions with any limitations on purpose of use, and handling instructions to which the authorized entity must comply:

• Privacy Consent Directive: Agreement Agreement, Restriction, or Prohibition to collect, access, use or disclose (share) information.
• Medical Treatment Consent Directive: Consent to undergo a specific treatment (or record of refusal to consent).
• Research Consent Directive: Consent to participate in research protocol and information sharing required.
Advance Care Directives: Consent to instructions for potentially needed medical treatment (e.g. DNR).

This resource is scoped to cover all four three uses, but at this time, only the privacy use case is modeled. fully modeled, others are being used but no formal modelling exists. The scope of the resource may change when the other possible scopes are investigated, tested, or profiled. A FHIR Consent Directive instance is considered the encoded legally binding Consent Directive if it meets requirements of a policy domain requirements for an enforceable contract. In some domains, electronic signatures of one or both of the parties to the content of an encoded representation of a Consent Form HL7 is deemed to constitute a legally binding Consent Directive. Some domains accept a notary’s electronic signature over the wet or electronic signature of a party to the Consent Directive as the additional identity proofing required to make an encoded Consent Directive legally binding. Other domains may only accept a wet signature or might not require the parties’ signatures at all. Whatever the criteria are for making an encoded FHIR Consent Directive legally binding, anything less than a legally binding representation of a Consent Directive must be identified as such, i.e., as a derivative of working on Advance Directives and would welcome participation by the legally binding Consent Directive, which has specific usage in Consent Directive workflow management. community.

6.2.1.1 Simple vs. Computable Consent The record of a healthcare consumer’s policy choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time Consent Form Human readable consent content describing one or more actions impacting the grantor for which

In its simplest form, the grantee would be authorized or prohibited from performing. It includes Consent resource provides the terms, rules, and conditions pertaining means to record the authorization or restrictions, such as effective time, applicability or scope, purposes of use, obligations content and prohibitions to which the grantee must comply. Once metadata of a Consent Form is “executed” by means required by policy, such consent (either implicit consent as verbal agreement, wet signature, an event or electronic/digital signature, it becomes a legally binding Consent Directive. Consent Directive Derivative Consent Content that conveys the minimal set an explicit consent document). At this level of information needed to manage Consent Directive workflow, including providing Consent Directive content sufficient to: Represent a Consent Directive Register or index a Consent Directive Query and respond about a Consent Directive Retrieve a Consent Directive Notify authorized entities about Consent Directive status changes Determine entities authorized to collect, access, use or disclose information about the Consent Directive or implementation, basic metadata about the information governed by the Consent Directive. Derived Consent content includes the Security Labels encoding the applicable privacy (e.g., status, data and security policies. Consent Security Labels inform recipients about specific access control measures required for compliance. Consent Statement A Consent Directive derivative has less than full fidelity to the legally binding Consent Directive from which it was "transcribed". It provides recipients with the full content representation they may require for compliance purposes, time, patient, and typically include a reference to or an attached unstructured representation for recipients needing an exact copy of the legal agreement. Consent Registration The legal record of a healthcare consumer's agreement with a party responsible for enforcing the consumer’s choices, which permits or denies identified actors or roles to perform actions affecting organization) is recorded in the consumer within a given context for specific purposes and periods corresponding attributes of timeA Consent Directive derivative that conveys the minimal set of information needed to register an active and revoked Consent Directive, or resource to update Consent status as it changes during its lifecycle. Consent Query/Response Types The FHIR Consent Resource specifies multiple Consent Search parameters, which support many types of queries for Consent Resource content. There are several Query/Response patterns that are typically used for obtaining information about consent directive content for the following use cases: Find Active Consent Directive: A query that includes sufficient enable consent directive content to determine whether a specific party is authorized to share information governed discovery by a consent directive with another specific party. indexing, searching, and retrieval of consents based on this metadata. The Response is either: “Yes” meaning that both parties are authorized `source[x]` attribute can be used to share record the information with one another. “No” meaning that original consent document either in the authorized querier is not permitted form of a pointer to share with another specific party “No information found” meaning that there is no active Consent Directive resource or in which the querier is authorized to share the governed information. Find Consent Directive Authorized Entities: A query that includes sufficient consent directive content to return a list form of entities with which the querier is authorized to share governed information. The response to an authorized querier is the list attachment.

In a more advanced usage of any authorized entities with which the querier is permitted to share governed information. The response to an unauthorized querier is that “no information is found”. Find Consent Directive(s): A query that includes sufficient consent directive content resource, in addition to return a list of Consent Directive recording the metadata for an authorized querier to determine what Consent Directives are available, and to locate and retrieve one or more of those Consent Directives as needed. Policy context Any organizational or jurisdictional policies, which may limit potentially the consumer’s policy choices, and which includes original content, the privacy preferences stated in the named range of actions allowed Healthcare Consumer The individual establishing his/her personal consent (i.e. Consenter). In FHIR, this is referred to as are encoded directly in the 'Patient' though this word is not used across all contexts form of care 6.2.1.1 Privacy Consent Directive (PCD) Privacy policies define how Individually Identifiable Health Information (IIHI) is to machine-readable rules. These rules can be collected, accessed, used and disclosed. A Privacy Consent Directive as a legal record of a patient's (e.g. a healthcare consumer) agreement with processed by a party responsible for enforcing the patient's choices, which permits or denies identified actors or roles decision engine to perform actions affecting adjudicate whether the patient within consent permits a given context for specific purposes and periods of time. All consent directives have given activity (e.g., sharing the patient information with a policy context, which is any set of organizational requester or jurisdictional policies which may limit enrolling the consumer’s policy choices, and which include patient in a named range of actions allowed. research project). In addition, Privacy Consent Directives provide other words, the ability for a healthcare consumer to delegate authority Consent resource is used directly to a Substitute Decision Maker who may act on behalf of record rules that individual. Alternatively, can be used by a consumer may author/publish their privacy rules engine to understand and enforce the preferences expressed by the consenter as a self-declared Privacy Consent Directive. they were intended.

The current version of the Consent resource on FHIR provides support for alternative representations two different mechanisms for expressing interoperable health information privacy consent directives in recording computable rules:

• the `provision` structure which provides a standard form simple structure for the exchange and enforcement by sending, intermediating, or receiving systems of capturing most common privacy policies that can be enforced by consuming systems (e.g., scanned documents, of computable structured entries elements, FHIR structures with optional attached, or referenced unstructured representations.) It may be used to represent rules.>
• the Privacy Consent Directive itself, a Consent Statement, `policy` attribute which electronically represents provides a Consent Directive, or Consent Metadata, which is the minimum necessary consent content derived from more flexible mechanism to reference a Consent Directive for use policy coded in workflow management. a policy language of choice (e.g., XACML , ODRL , etc.).

6.2.2 Boundaries and Relationships

Consent management - particularly privacy consent - is complicated by the fact that consent to share is often itself necessary to protect. The need to protect the privacy of the privacy statement itself competes with the execution of the consent statement. For this reason, it is common to deal with 'consent statements' that are only partial representations of the full consent statement that the patient provided.

For this reason, the consent resource contains two elements that refer back to the source: a master identifier, an inline attachment and a direct reference to content from which this Consent Statement was derived. That reference can be one of several things:

• A reference to another consent resource from which this limited statement was derived
• A reference to a document format for the original source (e.g. PDF or CDA - see the HL7 CDAR2 ConsentDirective Implementation Guide , which incorporated the IHE Basic Patient Privacy Consents (BPPC) ), either directly, or in a reference
• The source can be included in the consent as an attachment

The consent statements represent a chain that refers back to the original source consent directive. Applications may be able to follow the chain back to the source but should not generally assume that they are authorized to do this.

Consent Directives are executed by verbal acknowledge acknowledgement or by being signed - either on paper, or digitally. Consent Signatures will be found in the Provenance resource (example consent and signature ). resource. Implementation Guides will generally make rules about what signatures are required, and how they are to be shared and used.

6.2.3 Background and Context

Change to "The The Consent resource is structured with a base policy (represented as Consent.policy/Consent.policyRule) which is either opt-in permit or opt-out, deny, followed by a listing of exceptions to that policy (represented as Consent.provision(s)). The exceptions can be additional positive or negative exceptions upon the base policy. The set of exceptions include a list of data objects, list of authors, list of recipients, list of Organizations, list of purposeOfUse, and Date Range.

The enforcement of the Privacy Consent Directive is not included but is expected that enforcement can be done using a mix of the various Access Control enforcement methodologies (e.g. OAuth, UMA, XACML). This enforcement includes the details of the enforcement meaning of the elements of the Privacy Consent Directive, such as the rules in place when there is an opt-in consent would be specific about which organizational roles have access to what kinds of resources (e.g. RBAC, ABAC). The specification of these details is not in scope for the Consent resource.

• Structure
• UML
• XML
• JSON
• Turtle
• R3 Diff
• All

Structure

Name	Flags	Card.	Type	Description & Constraints
Consent	I TU		DomainResource	A healthcare consumer's or third party's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time + Rule: Either a Policy or PolicyRule + Rule: IF Scope=privacy, there must be a patient + Rule: IF Scope=research, there must be a patient + Rule: IF Scope=adr, there must be a patient + Rule: IF Scope=treatment, there must be a patient Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
identifier	Σ	0..*	Identifier	Identifier for this record (external references)
status	?! Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error | unknown ConsentState ( Required )
scope category	?! Σ	1..1 0..*	CodeableConcept	Which Classification of the four areas this resource covers (extensible) consent statement - for indexing/retrieval Consent Scope Category Codes ( Extensible Example )
category subject	Σ	1..* 0..1	CodeableConcept Reference ( Patient | Practitioner | Group )	Classification of Who the consent statement - for indexing/retrieval Consent Category Codes ( Extensible ) applies to
patient dateTime	Σ	0..1	Reference ( Patient dateTime )	Who the When consent applies was agreed to
dateTime grantor	Σ	0..1 0..*	dateTime Reference ( CareTeam | HealthcareService | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	When this Consent was created or indexed Who is granting rights according to the policy and rules
performer grantee	Σ	0..*	Reference ( CareTeam | HealthcareService | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Who is agreeing to the policy and rules
organization manager	Σ	0..*	Reference ( HealthcareService | Organization | Patient | Practitioner )	Custodian of the consent Consent workflow management
source[x] controller	Σ	0..1 0..*	Reference ( HealthcareService | Organization | Patient | Practitioner )	Source from which this consent is taken Consent Enforcer
sourceAttachment		0..*	Attachment	Source from which this consent is taken
sourceReference		0..*	Reference ( Consent | DocumentReference | Contract | QuestionnaireResponse )	Source from which this consent is taken
policy		0..*	BackboneElement	Policies covered by this consent
authority	I	0..1	uri	Enforcement source for policy
uri	I	0..1	uri	Specific policy covered by this consent
policyRule	Σ I	0..1	CodeableConcept	Regulation that this consents to Consent PolicyRule Codes ( Extensible Example )
verification	Σ	0..*	BackboneElement	Consent Verified by patient or family
verified	Σ	1..1	boolean	Has been verified
verificationType		0..1	CodeableConcept	Business case of verification Consent Vefication Codes ( Example )
verifiedBy		0..1	Reference ( Organization | Practitioner | PractitionerRole )	Person conducting verification
verifiedWith		0..1	Reference ( Patient | RelatedPerson )	Person who verified
verificationDate		0..1 0..*	dateTime	When consent verified
provision	Σ	0..1	BackboneElement	Constraints to the base Consent.policyRule Consent.policyRule/Consent.policy
type	Σ	0..1	code	deny | permit ConsentProvisionType ( Required )
period	Σ	0..1	Period	Timeframe for this rule
actor		0..*	BackboneElement	Who|what controlled by this rule (or group, by role)
role		1..1 0..1	CodeableConcept	How the actor is involved SecurityRoleType ParticipationRoleType ( Extensible )
reference		1..1 0..1	Reference ( Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Resource for the actor (or group, by role)
action	Σ	0..*	CodeableConcept	Actions controlled by this rule Consent Action Codes ( Example )
securityLabel	Σ	0..*	Coding	Security Labels that define affected resources SecurityLabels ( Extensible )
purpose	Σ	0..*	Coding	Context of activities covered by this rule V3 Value SetPurposeOfUse PurposeOfUse ( Extensible )
class	Σ	0..*	Coding	e.g. Resource Type, Profile, CDA, etc. Consent Content Class ( Extensible )
code	Σ	0..*	CodeableConcept	e.g. LOINC or SNOMED CT code, etc. in the content Consent Content Codes ( Example )
dataPeriod	Σ	0..1	Period	Timeframe for data controlled by this rule
data	Σ	0..*	BackboneElement	Data controlled by this rule
meaning	Σ	1..1	code	instance | related | dependents | authoredby ConsentDataMeaning ( Required )
reference	Σ	1..1	Reference ( Any )	The actual data reference
expression		0..1	Expression	A computable expression of the consent
provision		0..*	see provision	Nested Exception Rules
Documentation for this format

<

<Consent xmlns="http://hl7.org/fhir"> 

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <identifier><!-- 0..* Identifier Identifier for this record (external references) --></identifier>
 <
 <</scope>
 <</category>
 <</patient>
 <
 <|
   </performer>
 <</organization>
 <|
   </source[x]>

 <status value="[code]"/><!-- 1..1 draft | active | inactive | entered-in-error | unknown -->
 <category><!-- 0..* CodeableConcept Classification of the consent statement - for indexing/retrieval --></category>
 <subject><!-- 0..1 Reference(Group|Patient|Practitioner) Who the consent applies to --></subject>
 <dateTime value="[dateTime]"/><!-- 0..1 When consent was agreed to -->
 <grantor><!-- 0..* Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) Who is granting rights according to the policy and rules --></grantor>

 <grantee><!-- 0..* Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) Who is agreeing to the policy and rules --></grantee>

 <manager><!-- 0..* Reference(HealthcareService|Organization|Patient|Practitioner) Consent workflow management --></manager>
 <controller><!-- 0..* Reference(HealthcareService|Organization|Patient|
   Practitioner) Consent Enforcer --></controller>

 <sourceAttachment><!-- 0..* Attachment Source from which this consent is taken --></sourceAttachment>
 <sourceReference><!-- 0..* Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) Source from which this consent is taken --></sourceReference>
 <policy>  <!-- 0..* Policies covered by this consent -->
  <
  <

  <authority value="[uri]"/><!-- 0..1 Enforcement source for policy -->
  <uri value="[uri]"/><!-- 0..1 Specific policy covered by this consent -->

 </policy>
 <</policyRule>

 <policyRule><!-- 0..1 CodeableConcept Regulation that this consents to --></policyRule>

 <verification>  <!-- 0..* Consent Verified by patient or family -->
  <verified value="[boolean]"/><!-- 1..1 Has been verified -->
  <verificationType><!-- 0..1 CodeableConcept Business case of verification --></verificationType>
  <verifiedBy><!-- 0..1 Reference(Organization|Practitioner|PractitionerRole) Person conducting verification --></verifiedBy>

  <verifiedWith><!-- 0..1 Reference(Patient|RelatedPerson) Person who verified --></verifiedWith>
  <

  <verificationDate value="[dateTime]"/><!-- 0..* When consent verified -->

 </verification>
 <

 <provision>  <!-- 0..1 Constraints to the base Consent.policyRule/Consent.policy -->

  <type value="[code]"/><!-- 0..1 deny | permit -->
  <period><!-- 0..1 Period Timeframe for this rule --></period>
  <actor>  <!-- 0..* Who|what controlled by this rule (or group, by role) -->
   <</role>
   <|
     </reference>

   <role><!-- 0..1 CodeableConcept How the actor is involved --></role>
   <reference><!-- 0..1 Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) Resource for the actor (or group, by role) --></reference>
  </actor>
  <action><!-- 0..* CodeableConcept Actions controlled by this rule --></action>
  <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
  <</purpose>

  <purpose><!-- 0..* Coding Context of activities covered by this rule  --></purpose>

  <class><!-- 0..* Coding e.g. Resource Type, Profile, CDA, etc. --></class>
  <code><!-- 0..* CodeableConcept e.g. LOINC or SNOMED CT code, etc. in the content --></code>
  <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this rule --></dataPeriod>
  <data>  <!-- 0..* Data controlled by this rule -->
   <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
   <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
  </data>
  <expression><!-- 0..1 Expression A computable expression of the consent --></expression>

  <provision><!-- 0..* Content as for Consent.provision Nested Exception Rules --></provision>
 </provision>
</Consent>

{
  "resourceType" : "",

  "resourceType" : "Consent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "identifier" : [{ Identifier }], // Identifier for this record (external references)
  "
  "
  "
  "
  "
  "|
   
  "
  
  " },
  "|
    },

  "status" : "<code>", // R!  draft | active | inactive | entered-in-error | unknown
  "category" : [{ CodeableConcept }], // Classification of the consent statement - for indexing/retrieval
  "subject" : { Reference(Group|Patient|Practitioner) }, // Who the consent applies to
  "dateTime" : "<dateTime>", // When consent was agreed to
  "grantor" : [{ Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) }], // Who is granting rights according to the policy and rules

  "grantee" : [{ Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) }], // Who is agreeing to the policy and rules

  "manager" : [{ Reference(HealthcareService|Organization|Patient|Practitioner) }], // Consent workflow management
  "controller" : [{ Reference(HealthcareService|Organization|Patient|
   Practitioner) }], // Consent Enforcer

  "sourceAttachment" : [{ Attachment }], // Source from which this consent is taken
  "sourceReference" : [{ Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) }], // Source from which this consent is taken
  "policy" : [{ // Policies covered by this consent
    "
    "

    "authority" : "<uri>", // Enforcement source for policy
    "uri" : "<uri>" // Specific policy covered by this consent

  }],
  "

  "policyRule" : { CodeableConcept }, // Regulation that this consents to

  "verification" : [{ // Consent Verified by patient or family
    "verified" : <boolean>, // R!  Has been verified
    "verificationType" : { CodeableConcept }, // Business case of verification
    "verifiedBy" : { Reference(Organization|Practitioner|PractitionerRole) }, // Person conducting verification

    "verifiedWith" : { Reference(Patient|RelatedPerson) }, // Person who verified
    "

    "verificationDate" : ["<dateTime>"] // When consent verified

  }],
  "

  "provision" : { // Constraints to the base Consent.policyRule/Consent.policy

    "type" : "<code>", // deny | permit
    "period" : { Period }, // Timeframe for this rule
    "actor" : [{ // Who|what controlled by this rule (or group, by role)
      "
      "|
     

      "role" : { CodeableConcept }, // How the actor is involved
      "reference" : { Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) } // Resource for the actor (or group, by role)
    }],
    "action" : [{ CodeableConcept }], // Actions controlled by this rule
    "securityLabel" : [{ Coding }], // Security Labels that define affected resources
    "

    "purpose" : [{ Coding }], // Context of activities covered by this rule 

    "class" : [{ Coding }], // e.g. Resource Type, Profile, CDA, etc.
    "code" : [{ CodeableConcept }], // e.g. LOINC or SNOMED CT code, etc. in the content
    "dataPeriod" : { Period }, // Timeframe for data controlled by this rule
    "data" : [{ // Data controlled by this rule
      "meaning" : "<code>", // R!  instance | related | dependents | authoredby
      "reference" : { Reference(Any) } // R!  The actual data reference
    }],
    "expression" : { Expression }, // A computable expression of the consent

    "provision" : [{ Content as for Consent.provision }] // Nested Exception Rules
  }
}

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:;

[ a fhir:Consent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:Consent.identifier [ Identifier ], ... ; # 0..* Identifier for this record (external references)
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  # . One of these 2
    fhir: ]
    fhir:) ]

  fhir:Consent.status [ code ]; # 1..1 draft | active | inactive | entered-in-error | unknown
  fhir:Consent.category [ CodeableConcept ], ... ; # 0..* Classification of the consent statement - for indexing/retrieval
  fhir:Consent.subject [ Reference(Group|Patient|Practitioner) ]; # 0..1 Who the consent applies to
  fhir:Consent.dateTime [ dateTime ]; # 0..1 When consent was agreed to
  fhir:Consent.grantor [ Reference(CareTeam|HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ], ... ; # 0..* Who is granting rights according to the policy and rules

  fhir:Consent.grantee [ Reference(CareTeam|HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ], ... ; # 0..* Who is agreeing to the policy and rules

  fhir:Consent.manager [ Reference(HealthcareService|Organization|Patient|Practitioner) ], ... ; # 0..* Consent workflow management
  fhir:Consent.controller [ Reference(HealthcareService|Organization|Patient|Practitioner) ], ... ; # 0..* Consent Enforcer
  fhir:Consent.sourceAttachment [ Attachment ], ... ; # 0..* Source from which this consent is taken
  fhir:Consent.sourceReference [ Reference(Consent|Contract|DocumentReference|QuestionnaireResponse) ], ... ; # 0..* Source from which this consent is taken

  fhir:Consent.policy [ # 0..* Policies covered by this consent
    fhir:Consent.policy.authority [ uri ]; # 0..1 Enforcement source for policy
    fhir:Consent.policy.uri [ uri ]; # 0..1 Specific policy covered by this consent
  ], ...;
  fhir:Consent.policyRule [ CodeableConcept ]; # 0..1 Regulation that this consents to
  fhir:Consent.verification [ # 0..* Consent Verified by patient or family
    fhir:Consent.verification.verified [ boolean ]; # 1..1 Has been verified
    fhir:Consent.verification.verificationType [ CodeableConcept ]; # 0..1 Business case of verification
    fhir:Consent.verification.verifiedBy [ Reference(Organization|Practitioner|PractitionerRole) ]; # 0..1 Person conducting verification

    fhir:Consent.verification.verifiedWith [ Reference(Patient|RelatedPerson) ]; # 0..1 Person who verified
    fhir:

    fhir:Consent.verification.verificationDate [ dateTime ], ... ; # 0..* When consent verified

  ], ...;
  fhir:

  fhir:Consent.provision [ # 0..1 Constraints to the base Consent.policyRule/Consent.policy

    fhir:Consent.provision.type [ code ]; # 0..1 deny | permit
    fhir:Consent.provision.period [ Period ]; # 0..1 Timeframe for this rule
    fhir:Consent.provision.actor [ # 0..* Who|what controlled by this rule (or group, by role)
      fhir:
      fhir:|
  

      fhir:Consent.provision.actor.role [ CodeableConcept ]; # 0..1 How the actor is involved
      fhir:Consent.provision.actor.reference [ Reference(CareTeam|Device|Group|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ]; # 0..1 Resource for the actor (or group, by role)
    ], ...;
    fhir:Consent.provision.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this rule
    fhir:Consent.provision.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
    fhir:Consent.provision.purpose [ Coding ], ... ; # 0..* Context of activities covered by this rule
    fhir:Consent.provision.class [ Coding ], ... ; # 0..* e.g. Resource Type, Profile, CDA, etc.
    fhir:Consent.provision.code [ CodeableConcept ], ... ; # 0..* e.g. LOINC or SNOMED CT code, etc. in the content
    fhir:Consent.provision.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this rule
    fhir:Consent.provision.data [ # 0..* Data controlled by this rule
      fhir:Consent.provision.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
      fhir:Consent.provision.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
    ], ...;
    fhir:Consent.provision.expression [ Expression ]; # 0..1 A computable expression of the consent

    fhir:Consent.provision.provision [ See Consent.provision ], ... ; # 0..* Nested Exception Rules
  ];
]

Structure

Name	Flags	Card.	Type	Description & Constraints
Consent	I TU		DomainResource	A healthcare consumer's or third party's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time + Rule: Either a Policy or PolicyRule + Rule: IF Scope=privacy, there must be a patient + Rule: IF Scope=research, there must be a patient + Rule: IF Scope=adr, there must be a patient + Rule: IF Scope=treatment, there must be a patient Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
identifier	Σ	0..*	Identifier	Identifier for this record (external references)
status	?! Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error | unknown ConsentState ( Required )
scope category	?! Σ	1..1 0..*	CodeableConcept	Which Classification of the four areas this resource covers (extensible) consent statement - for indexing/retrieval Consent Scope Category Codes ( Extensible Example )
category subject	Σ	1..* 0..1	CodeableConcept Reference ( Patient | Practitioner | Group )	Classification of Who the consent statement - for indexing/retrieval Consent Category Codes ( Extensible ) applies to
patient dateTime	Σ	0..1	Reference ( Patient dateTime )	Who the When consent applies was agreed to
dateTime grantor	Σ	0..1 0..*	dateTime Reference ( CareTeam | HealthcareService | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	When this Consent was created or indexed Who is granting rights according to the policy and rules
performer grantee	Σ	0..*	Reference ( CareTeam | HealthcareService | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Who is agreeing to the policy and rules
organization manager	Σ	0..*	Reference ( HealthcareService | Organization | Patient | Practitioner )	Custodian of the consent Consent workflow management
source[x] controller	Σ	0..1 0..*	Reference ( HealthcareService | Organization | Patient | Practitioner )	Source from which this consent is taken Consent Enforcer
sourceAttachment		0..*	Attachment	Source from which this consent is taken
sourceReference		0..*	Reference ( Consent | DocumentReference | Contract | QuestionnaireResponse )	Source from which this consent is taken
policy		0..*	BackboneElement	Policies covered by this consent
authority	I	0..1	uri	Enforcement source for policy
uri	I	0..1	uri	Specific policy covered by this consent
policyRule	Σ I	0..1	CodeableConcept	Regulation that this consents to Consent PolicyRule Codes ( Extensible Example )
verification	Σ	0..*	BackboneElement	Consent Verified by patient or family
verified	Σ	1..1	boolean	Has been verified
verificationType		0..1	CodeableConcept	Business case of verification Consent Vefication Codes ( Example )
verifiedBy		0..1	Reference ( Organization | Practitioner | PractitionerRole )	Person conducting verification
verifiedWith		0..1	Reference ( Patient | RelatedPerson )	Person who verified
verificationDate		0..1 0..*	dateTime	When consent verified
provision	Σ	0..1	BackboneElement	Constraints to the base Consent.policyRule Consent.policyRule/Consent.policy
type	Σ	0..1	code	deny | permit ConsentProvisionType ( Required )
period	Σ	0..1	Period	Timeframe for this rule
actor		0..*	BackboneElement	Who|what controlled by this rule (or group, by role)
role		1..1 0..1	CodeableConcept	How the actor is involved SecurityRoleType ParticipationRoleType ( Extensible )
reference		1..1 0..1	Reference ( Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole )	Resource for the actor (or group, by role)
action	Σ	0..*	CodeableConcept	Actions controlled by this rule Consent Action Codes ( Example )
securityLabel	Σ	0..*	Coding	Security Labels that define affected resources SecurityLabels ( Extensible )
purpose	Σ	0..*	Coding	Context of activities covered by this rule V3 Value SetPurposeOfUse PurposeOfUse ( Extensible )
class	Σ	0..*	Coding	e.g. Resource Type, Profile, CDA, etc. Consent Content Class ( Extensible )
code	Σ	0..*	CodeableConcept	e.g. LOINC or SNOMED CT code, etc. in the content Consent Content Codes ( Example )
dataPeriod	Σ	0..1	Period	Timeframe for data controlled by this rule
data	Σ	0..*	BackboneElement	Data controlled by this rule
meaning	Σ	1..1	code	instance | related | dependents | authoredby ConsentDataMeaning ( Required )
reference	Σ	1..1	Reference ( Any )	The actual data reference
expression		0..1	Expression	A computable expression of the consent
provision		0..*	see provision	Nested Exception Rules
Documentation for this format

UML Diagram ( Legend )

XML Template

<

<Consent xmlns="http://hl7.org/fhir"> 

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <identifier><!-- 0..* Identifier Identifier for this record (external references) --></identifier>
 <
 <</scope>
 <</category>
 <</patient>
 <
 <|
   </performer>
 <</organization>
 <|
   </source[x]>

 <status value="[code]"/><!-- 1..1 draft | active | inactive | entered-in-error | unknown -->
 <category><!-- 0..* CodeableConcept Classification of the consent statement - for indexing/retrieval --></category>
 <subject><!-- 0..1 Reference(Group|Patient|Practitioner) Who the consent applies to --></subject>
 <dateTime value="[dateTime]"/><!-- 0..1 When consent was agreed to -->
 <grantor><!-- 0..* Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) Who is granting rights according to the policy and rules --></grantor>

 <grantee><!-- 0..* Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) Who is agreeing to the policy and rules --></grantee>

 <manager><!-- 0..* Reference(HealthcareService|Organization|Patient|Practitioner) Consent workflow management --></manager>
 <controller><!-- 0..* Reference(HealthcareService|Organization|Patient|
   Practitioner) Consent Enforcer --></controller>

 <sourceAttachment><!-- 0..* Attachment Source from which this consent is taken --></sourceAttachment>
 <sourceReference><!-- 0..* Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) Source from which this consent is taken --></sourceReference>
 <policy>  <!-- 0..* Policies covered by this consent -->
  <
  <

  <authority value="[uri]"/><!-- 0..1 Enforcement source for policy -->
  <uri value="[uri]"/><!-- 0..1 Specific policy covered by this consent -->

 </policy>
 <</policyRule>

 <policyRule><!-- 0..1 CodeableConcept Regulation that this consents to --></policyRule>

 <verification>  <!-- 0..* Consent Verified by patient or family -->
  <verified value="[boolean]"/><!-- 1..1 Has been verified -->
  <verificationType><!-- 0..1 CodeableConcept Business case of verification --></verificationType>
  <verifiedBy><!-- 0..1 Reference(Organization|Practitioner|PractitionerRole) Person conducting verification --></verifiedBy>

  <verifiedWith><!-- 0..1 Reference(Patient|RelatedPerson) Person who verified --></verifiedWith>
  <

  <verificationDate value="[dateTime]"/><!-- 0..* When consent verified -->

 </verification>
 <

 <provision>  <!-- 0..1 Constraints to the base Consent.policyRule/Consent.policy -->

  <type value="[code]"/><!-- 0..1 deny | permit -->
  <period><!-- 0..1 Period Timeframe for this rule --></period>
  <actor>  <!-- 0..* Who|what controlled by this rule (or group, by role) -->
   <</role>
   <|
     </reference>

   <role><!-- 0..1 CodeableConcept How the actor is involved --></role>
   <reference><!-- 0..1 Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) Resource for the actor (or group, by role) --></reference>
  </actor>
  <action><!-- 0..* CodeableConcept Actions controlled by this rule --></action>
  <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
  <</purpose>

  <purpose><!-- 0..* Coding Context of activities covered by this rule  --></purpose>

  <class><!-- 0..* Coding e.g. Resource Type, Profile, CDA, etc. --></class>
  <code><!-- 0..* CodeableConcept e.g. LOINC or SNOMED CT code, etc. in the content --></code>
  <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this rule --></dataPeriod>
  <data>  <!-- 0..* Data controlled by this rule -->
   <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
   <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
  </data>
  <expression><!-- 0..1 Expression A computable expression of the consent --></expression>

  <provision><!-- 0..* Content as for Consent.provision Nested Exception Rules --></provision>
 </provision>
</Consent>

JSON Template

{
  "resourceType" : "",

  "resourceType" : "Consent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "identifier" : [{ Identifier }], // Identifier for this record (external references)
  "
  "
  "
  "
  "
  "|
   
  "
  
  " },
  "|
    },

  "status" : "<code>", // R!  draft | active | inactive | entered-in-error | unknown
  "category" : [{ CodeableConcept }], // Classification of the consent statement - for indexing/retrieval
  "subject" : { Reference(Group|Patient|Practitioner) }, // Who the consent applies to
  "dateTime" : "<dateTime>", // When consent was agreed to
  "grantor" : [{ Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) }], // Who is granting rights according to the policy and rules

  "grantee" : [{ Reference(CareTeam|HealthcareService|Organization|Patient|
   Practitioner|PractitionerRole|RelatedPerson) }], // Who is agreeing to the policy and rules

  "manager" : [{ Reference(HealthcareService|Organization|Patient|Practitioner) }], // Consent workflow management
  "controller" : [{ Reference(HealthcareService|Organization|Patient|
   Practitioner) }], // Consent Enforcer

  "sourceAttachment" : [{ Attachment }], // Source from which this consent is taken
  "sourceReference" : [{ Reference(Consent|Contract|DocumentReference|
   QuestionnaireResponse) }], // Source from which this consent is taken
  "policy" : [{ // Policies covered by this consent
    "
    "

    "authority" : "<uri>", // Enforcement source for policy
    "uri" : "<uri>" // Specific policy covered by this consent

  }],
  "

  "policyRule" : { CodeableConcept }, // Regulation that this consents to

  "verification" : [{ // Consent Verified by patient or family
    "verified" : <boolean>, // R!  Has been verified
    "verificationType" : { CodeableConcept }, // Business case of verification
    "verifiedBy" : { Reference(Organization|Practitioner|PractitionerRole) }, // Person conducting verification

    "verifiedWith" : { Reference(Patient|RelatedPerson) }, // Person who verified
    "

    "verificationDate" : ["<dateTime>"] // When consent verified

  }],
  "

  "provision" : { // Constraints to the base Consent.policyRule/Consent.policy

    "type" : "<code>", // deny | permit
    "period" : { Period }, // Timeframe for this rule
    "actor" : [{ // Who|what controlled by this rule (or group, by role)
      "
      "|
     

      "role" : { CodeableConcept }, // How the actor is involved
      "reference" : { Reference(CareTeam|Device|Group|Organization|Patient|
     Practitioner|PractitionerRole|RelatedPerson) } // Resource for the actor (or group, by role)
    }],
    "action" : [{ CodeableConcept }], // Actions controlled by this rule
    "securityLabel" : [{ Coding }], // Security Labels that define affected resources
    "

    "purpose" : [{ Coding }], // Context of activities covered by this rule 

    "class" : [{ Coding }], // e.g. Resource Type, Profile, CDA, etc.
    "code" : [{ CodeableConcept }], // e.g. LOINC or SNOMED CT code, etc. in the content
    "dataPeriod" : { Period }, // Timeframe for data controlled by this rule
    "data" : [{ // Data controlled by this rule
      "meaning" : "<code>", // R!  instance | related | dependents | authoredby
      "reference" : { Reference(Any) } // R!  The actual data reference
    }],
    "expression" : { Expression }, // A computable expression of the consent

    "provision" : [{ Content as for Consent.provision }] // Nested Exception Rules
  }
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:;

[ a fhir:Consent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:Consent.identifier [ Identifier ], ... ; # 0..* Identifier for this record (external references)
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  # . One of these 2
    fhir: ]
    fhir:) ]

  fhir:Consent.status [ code ]; # 1..1 draft | active | inactive | entered-in-error | unknown
  fhir:Consent.category [ CodeableConcept ], ... ; # 0..* Classification of the consent statement - for indexing/retrieval
  fhir:Consent.subject [ Reference(Group|Patient|Practitioner) ]; # 0..1 Who the consent applies to
  fhir:Consent.dateTime [ dateTime ]; # 0..1 When consent was agreed to
  fhir:Consent.grantor [ Reference(CareTeam|HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ], ... ; # 0..* Who is granting rights according to the policy and rules

  fhir:Consent.grantee [ Reference(CareTeam|HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ], ... ; # 0..* Who is agreeing to the policy and rules

  fhir:Consent.manager [ Reference(HealthcareService|Organization|Patient|Practitioner) ], ... ; # 0..* Consent workflow management
  fhir:Consent.controller [ Reference(HealthcareService|Organization|Patient|Practitioner) ], ... ; # 0..* Consent Enforcer
  fhir:Consent.sourceAttachment [ Attachment ], ... ; # 0..* Source from which this consent is taken
  fhir:Consent.sourceReference [ Reference(Consent|Contract|DocumentReference|QuestionnaireResponse) ], ... ; # 0..* Source from which this consent is taken

  fhir:Consent.policy [ # 0..* Policies covered by this consent
    fhir:Consent.policy.authority [ uri ]; # 0..1 Enforcement source for policy
    fhir:Consent.policy.uri [ uri ]; # 0..1 Specific policy covered by this consent
  ], ...;
  fhir:Consent.policyRule [ CodeableConcept ]; # 0..1 Regulation that this consents to
  fhir:Consent.verification [ # 0..* Consent Verified by patient or family
    fhir:Consent.verification.verified [ boolean ]; # 1..1 Has been verified
    fhir:Consent.verification.verificationType [ CodeableConcept ]; # 0..1 Business case of verification
    fhir:Consent.verification.verifiedBy [ Reference(Organization|Practitioner|PractitionerRole) ]; # 0..1 Person conducting verification

    fhir:Consent.verification.verifiedWith [ Reference(Patient|RelatedPerson) ]; # 0..1 Person who verified
    fhir:

    fhir:Consent.verification.verificationDate [ dateTime ], ... ; # 0..* When consent verified

  ], ...;
  fhir:

  fhir:Consent.provision [ # 0..1 Constraints to the base Consent.policyRule/Consent.policy

    fhir:Consent.provision.type [ code ]; # 0..1 deny | permit
    fhir:Consent.provision.period [ Period ]; # 0..1 Timeframe for this rule
    fhir:Consent.provision.actor [ # 0..* Who|what controlled by this rule (or group, by role)
      fhir:
      fhir:|
  

      fhir:Consent.provision.actor.role [ CodeableConcept ]; # 0..1 How the actor is involved
      fhir:Consent.provision.actor.reference [ Reference(CareTeam|Device|Group|Organization|Patient|Practitioner|PractitionerRole|
  RelatedPerson) ]; # 0..1 Resource for the actor (or group, by role)
    ], ...;
    fhir:Consent.provision.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this rule
    fhir:Consent.provision.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
    fhir:Consent.provision.purpose [ Coding ], ... ; # 0..* Context of activities covered by this rule
    fhir:Consent.provision.class [ Coding ], ... ; # 0..* e.g. Resource Type, Profile, CDA, etc.
    fhir:Consent.provision.code [ CodeableConcept ], ... ; # 0..* e.g. LOINC or SNOMED CT code, etc. in the content
    fhir:Consent.provision.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this rule
    fhir:Consent.provision.data [ # 0..* Data controlled by this rule
      fhir:Consent.provision.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
      fhir:Consent.provision.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
    ], ...;
    fhir:Consent.provision.expression [ Expression ]; # 0..1 A computable expression of the consent

    fhir:Consent.provision.provision [ See Consent.provision ], ... ; # 0..* Nested Exception Rules
  ];
]

Changes since Release 3

Consent
Consent.identifier Max Cardinality changed from 1 to * Consent.status	Change value set from http://hl7.org/fhir/ValueSet/consent-state-codes http://hl7.org/fhir/ValueSet/consent-state-codes|4.0.0 to http://hl7.org/fhir/ValueSet/consent-state-codes|4.0.1 Consent.scope Added Mandatory Element http://hl7.org/fhir/ValueSet/consent-state-codes|5.0.0-snapshot1
Consent.category	Min Cardinality changed from 0 to 1 Add Binding http://hl7.org/fhir/ValueSet/consent-category (extensible) Consent.patient Min Cardinality changed from 1 to 0 Consent.performer Added Element Consent.source[x] Remove Type Identifier Consent.policyRule Type changed from uri to CodeableConcept Add Binding http://hl7.org/fhir/ValueSet/consent-policy http://hl7.org/fhir/ValueSet/consent-category (extensible)
Consent.verification Added Element Consent.verification.verified Consent.subject	Added Mandatory Element
Consent.verification.verifiedWith Consent.grantor	Added Element
Consent.verification.verificationDate Consent.grantee	Added Element
Consent.provision Consent.manager	Added Element
Consent.provision.type Consent.controller	Added Element
Consent.provision.period Consent.sourceAttachment	Added Element
Consent.provision.actor Consent.sourceReference	Added Element
Consent.provision.actor.role Consent.policyRule	Added Mandatory Element Remove Binding http://hl7.org/fhir/ValueSet/consent-policy (extensible)
Consent.provision.actor.reference Consent.verification.verificationType	Added Mandatory Element
Consent.provision.action Consent.verification.verifiedBy	Added Element
Consent.provision.securityLabel Consent.verification.verificationDate	Added Element Max Cardinality changed from 1 to *
Consent.provision.purpose Consent.provision.type	Added Element Change value set from http://hl7.org/fhir/ValueSet/consent-provision-type|4.0.0 to http://hl7.org/fhir/ValueSet/consent-provision-type|5.0.0-snapshot1
Consent.provision.class Consent.provision.actor.role	Added Element Min Cardinality changed from 1 to 0 Consent.provision.code Added Element Consent.provision.dataPeriod Added Element Change value set from http://hl7.org/fhir/ValueSet/security-role-type to http://hl7.org/fhir/ValueSet/participation-role-type
Consent.provision.data Consent.provision.actor.reference	Added Element Min Cardinality changed from 1 to 0
Consent.provision.data.meaning	Added Mandatory Element Consent.provision.data.reference Added Mandatory Element Change value set from http://hl7.org/fhir/ValueSet/consent-data-meaning|4.0.0 to http://hl7.org/fhir/ValueSet/consent-data-meaning|5.0.0-snapshot1
Consent.provision.provision Consent.provision.expression	Added Element
Consent.period deleted Consent.consentingParty deleted Consent.actor deleted Consent.action deleted Consent.securityLabel Consent.scope	deleted
Consent.purpose Consent.patient	deleted
Consent.dataPeriod Consent.performer	deleted
Consent.data Consent.organization	deleted
Consent.except Consent.source[x]	deleted

See the Full Difference for further information

This analysis is available as XML or JSON .

See R3 <--> R4 Conversion Maps (status = 12 tests that all execute ok. All tests pass round-trip testing and 12 r3 resources are invalid (0 errors). )