Current Build

6.2 Resource Consent - Content

Community Based Collaborative Care Work GroupMaturity Level: 1 Trial UseCompartments: Patient

A record of a healthcare consumer’s policy choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time.

The purpose of this Resource is to be used to express a Consent regarding Healthcare. There are four anticipated uses for the Consent Resource, all of which are written or verbal agreements by a healthcare consumer [grantor] or a personal representative, made to an authorized entity [grantee] concerning authorized or restricted actions with any limitations on purpose of use, and handling instructions to which the authorized entity must comply:

  • Privacy Consent Directive: Agreement to collect, access, use or disclose (share) information.
  • Medical Treatment Consent Directive: Consent to undergo a specific treatment (or record of refusal to consent).
  • Research Consent Directive: Consent to participate in research protocol and information sharing required.
  • Advance Care Directives: Consent to instructions for potentially needed medical treatment (e.g. DNR).

This resource is scoped to cover all four uses, but at this time, only the privacy use case is modeled. The scope of the resource may change when the other possible scopes are investigated, tested, or profiled.

A FHIR Consent Directive instance is considered the encoded legally binding Consent Directive if it meets requirements of a policy domain requirements for an enforceable contract. In some domains, electronic signatures of one or both of the parties to the content of an encoded representation of a Consent Form is deemed to constitute a legally binding Consent Directive. Some domains accept a notary’s electronic signature over the wet or electronic signature of a party to the Consent Directive as the additional identity proofing required to make an encoded Consent Directive legally binding. Other domains may only accept a wet signature, or may not require the parties’ signatures at all.

Whatever the criteria are for making an encoded FHIR Consent Directive legally binding, anything less than a legally binding representation of a Consent Directive must be identified as such, i.e., as a derivative of the legally binding Consent Directive, which has specific usage in Consent Directive workflow management.

Definitions:

ConsentThe record of a healthcare consumer’s policy choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time
Consent DirectiveThe legal record of a healthcare consumer's agreement with a party responsible for enforcing the consumer’s choices, which permits or denies identified actors or roles to perform actions affecting the consumer within a given context for specific purposes and periods of time
Consent FormHuman readable consent content describing one or more actions impacting the grantor for which the grantee would be authorized or prohibited from performing. It includes the terms, rules, and conditions pertaining to the authorization or restrictions, such as effective time, applicability or scope, purposes of use, obligations and prohibitions to which the grantee must comply. Once a Consent Form is “executed” by means required by policy, such as verbal agreement, wet signature, or electronic/digital signature, it becomes a legally binding Consent Directive.
Consent Directive DerivativeConsent Content that conveys the minimal set of information needed to manage Consent Directive workflow, including providing Consent Directive content sufficient to:
  • Represent a Consent Directive
  • Register or index a Consent Directive
  • Query and respond about a Consent Directive
  • Retrieve a Consent Directive
  • Notify authorized entities about Consent Directive status changes
  • Determine entities authorized to collect, access, use or disclose information about the Consent Directive or about the information governed by the Consent Directive.

Derived Consent content includes the Security Labels encoding the applicable privacy and security policies. Consent Security Labels inform recipients about specific access control measures required for compliance.

Consent StatementA Consent Directive derivative has less than full fidelity to the legally binding Consent Directive from which it was "transcribed". It provides recipients with the full content representation they may require for compliance purposes, and typically include a reference to or an attached unstructured representation for recipients needing an exact copy of the legal agreement.
Consent RegistrationThe legal record of a healthcare consumer's agreement with a party responsible for enforcing the consumer’s choices, which permits or denies identified actors or roles to perform actions affecting the consumer within a given context for specific purposes and periods of timeA Consent Directive derivative that conveys the minimal set of information needed to register an active and revoked Consent Directive, or to update Consent status as it changes during its lifecycle.
Consent Query/Response TypesThe FHIR Consent Resource specifies multiple Consent Search parameters, which support many types of queries for Consent Resource content. There are several Query/Response patterns that are typically used for obtaining information about consent directive content for the following use cases:
  • Find Active Consent Directive: A query that includes sufficient consent directive content to determine whether a specific party is authorized to share information governed by a consent directive with another specific party. The Response is either:
    • “Yes” meaning that both parties are authorized to share the information with one another.
    • “No” meaning that the authorized querier is not permitted to share with another specific party
    • “No information found” meaning that there is no active Consent Directive in which the querier is authorized to share the governed information.
  • Find Consent Directive Authorized Entities: A query that includes sufficient consent directive content to return a list of entities with which the querier is authorized to share governed information. The response to an authorized querier is the list of any authorized entities with which the querier is permitted to share governed information. The response to an unauthorized querier is that “no information is found”.
  • Find Consent Directive(s): A query that includes sufficient consent directive content to return a list of Consent Directive metadata for an authorized querier to determine what Consent Directives are available, and to locate and retrieve one or more of those Consent Directives as needed.
Policy contextAny organizational or jurisdictional policies, which may limit the consumer’s policy choices, and which includes the named range of actions allowed
Healthcare ConsumerThe individual establishing his/her personal consent (i.e. Consenter). In FHIR, this is referred to as the 'Patient' though this word is not used across all contexts of care

Privacy policies define how Individually Identifiable Health Information (IIHI) is to be collected, accessed, used and disclosed. A Privacy Consent Directive as a legal record of a patient's (e.g. a healthcare consumer) agreement with a party responsible for enforcing the patient's choices, which permits or denies identified actors or roles to perform actions affecting the patient within a given context for specific purposes and periods of time. All consent directives have a policy context, which is any set of organizational or jurisdictional policies which may limit the consumer’s policy choices, and which include a named range of actions allowed. In addition, Privacy Consent Directives provide the ability for a healthcare consumer to delegate authority to a Substitute Decision Maker who may act on behalf of that individual. Alternatively, a consumer may author/publish their privacy preferences as a self-declared Privacy Consent Directive.

The Consent resource on FHIR provides support for alternative representations for expressing interoperable health information privacy consent directives in a standard form for the exchange and enforcement by sending, intermediating, or receiving systems of privacy policies that can be enforced by consuming systems (e.g., scanned documents, of computable structured entries elements, FHIR structures with optional attached, or referenced unstructured representations.) It may be used to represent the Privacy Consent Directive itself, a Consent Statement, which electronically represents a Consent Directive, or Consent Metadata, which is the minimum necessary consent content derived from a Consent Directive for use in workflow management.

Consent management - particularly privacy consent - is complicated by the fact that consent to share is often itself necessary to protect. The need to protect the privacy of the privacy statement itself competes with the execution of the consent statement. For this reason, it is common to deal with 'consent statements' that are only partial representations of the full consent statement that the patient provided.

For this reason, the consent resource contains two elements that refer back to the source: a master identifier, and a direct reference to content from which this Consent Statement was derived. That reference can be one of several things:

The consent statements represent a chain that refers back to the original source consent directive. Applications may be able to follow the chain back to the source, but should not generally assume that they are authorized to do this.

Consent Directives are executed by verbal acknowledge or by being signed - either on paper, or digitally. Consent Signatures will be found in the Provenance resource (example consent and signature). Implementation Guides will generally make rules about what signatures are required, and how they are to be shared and used.

The Consent resource is structured with a base policy which is either opt-in or opt-out, followed by a listing of exceptions to that policy. The exceptions can be additional positive or negative exceptions upon the base policy. The set of exceptions include a list of data objects, list of authors, list of recipients, list of Organizations, list of purposeOfUse, and Date Range.

The enforcement of the Privacy Consent Directive is not included, but is expected that enforcement can be done using a mix of the various Access Control enforcement methodologies (e.g. OAuth, UMA, XACML). This enforcement includes the details of the enforcement meaning of the elements of the Privacy Consent Directive, such as the rules in place when there is an opt-in consent would be specific about which organizational roles have access to what kinds of resources (e.g. RBAC, ABAC). The specification of these details are not in scope for the Consent resource.

This resource is referenced by researchsubject

Structure

NameFlagsCard.TypeDescription & Constraintsdoco
.. Consent IDomainResourceA healthcare consumer's policy choices to permits or denies recipients or roles to perform actions for specific purposes and periods of time
+ Either a Policy or PolicyRule
Elements defined in Ancestors: id, meta, implicitRules, language, text, contained, extension, modifierExtension
... identifier Σ0..1IdentifierIdentifier for this record (external references)
... status ?!Σ1..1codedraft | proposed | active | rejected | inactive | entered-in-error
ConsentState (Required)
... category Σ0..*CodeableConceptClassification of the consent statement - for indexing/retrieval
Consent Category Codes (Example)
... patient Σ1..1Reference(Patient)Who the consent applies to
... period Σ0..1PeriodPeriod that this consent applies
... dateTime Σ0..1dateTimeWhen this Consent was created or indexed
... consentingParty Σ0..*Reference(Organization | Patient | Practitioner | RelatedPerson)Who is agreeing to the policy and exceptions
... actor Σ0..*BackboneElementWho|what controlled by this consent (or group, by role)
.... role 1..1CodeableConceptHow the actor is involved
SecurityRoleType (Extensible)
.... reference 1..1Reference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson)Resource for the actor (or group, by role)
... action Σ0..*CodeableConceptActions controlled by this consent
Consent Action Codes (Example)
... organization Σ0..*Reference(Organization)Custodian of the consent
... source[x] Σ0..1Source from which this consent is taken
.... sourceAttachmentAttachment
.... sourceIdentifierIdentifier
.... sourceReferenceReference(Consent | DocumentReference | Contract | QuestionnaireResponse)
... policy 0..*BackboneElementPolicies covered by this consent
.... authority I0..1uriEnforcement source for policy
.... uri I0..1uriSpecific policy covered by this consent
... policyRule ΣI0..1uriPolicy that this consents to
... securityLabel Σ0..*CodingSecurity Labels that define affected resources
All Security Labels (Extensible)
... purpose Σ0..*CodingContext of activities for which the agreement is made
PurposeOfUse (Extensible)
... dataPeriod Σ0..1PeriodTimeframe for data controlled by this consent
... data Σ0..*BackboneElementData controlled by this consent
.... meaning Σ1..1codeinstance | related | dependents | authoredby
ConsentDataMeaning (Required)
.... reference Σ1..1Reference(Any)The actual data reference
... except Σ0..*BackboneElementAdditional rule - addition or removal of permissions
.... type Σ1..1codedeny | permit
ConsentExceptType (Required)
.... period Σ0..1PeriodTimeframe for this exception
.... actor Σ0..*BackboneElementWho|what controlled by this exception (or group, by role)
..... role 1..1CodeableConceptHow the actor is involved
SecurityRoleType (Extensible)
..... reference 1..1Reference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson)Resource for the actor (or group, by role)
.... action Σ0..*CodeableConceptActions controlled by this exception
Consent Action Codes (Example)
.... securityLabel Σ0..*CodingSecurity Labels that define affected resources
All Security Labels (Extensible)
.... purpose Σ0..*CodingContext of activities covered by this exception
PurposeOfUse (Extensible)
.... class Σ0..*Codinge.g. Resource Type, Profile, or CDA etc
Consent Content Class (Extensible)
.... code Σ0..*Codinge.g. LOINC or SNOMED CT code, etc in the content
Consent Content Codes (Example)
.... dataPeriod Σ0..1PeriodTimeframe for data controlled by this exception
.... data Σ0..*BackboneElementData controlled by this exception
..... meaning Σ1..1codeinstance | related | dependents | authoredby
ConsentDataMeaning (Required)
..... reference Σ1..1Reference(Any)The actual data reference

doco Documentation for this format

UML Diagram (Legend)

Consent (DomainResource)Unique identifier for this copy of the Consent Statementidentifier : Identifier [0..1]Indicates the current state of this consent (this element modifies the meaning of other elements)status : code [1..1] Indicates the state of the consent (Strength=Required)ConsentState! A classification of the type of consents found in the statement. This element supports indexing and retrieval of consent statementscategory : CodeableConcept [0..*] A classification of the type of consents found in a consent statement (Strength=Example)Consent Category ?? The patient/healthcare consumer to whom this consent appliespatient : Reference [1..1] Patient Relevant time or time-period when this Consent is applicableperiod : Period [0..1]When this Consent was issued / created / indexeddateTime : dateTime [0..1]Either the Grantor, which is the entity responsible for granting the rights listed in a Consent Directive or the Grantee, which is the entity responsible for complying with the Consent Directive, including any obligations or limitations on authorizations and enforcement of prohibitionsconsentingParty : Reference [0..*] Organization|Patient| Practitioner|RelatedPerson Actions controlled by this consentaction : CodeableConcept [0..*] Detailed codes for the consent action. (Strength=Example)Consent Action ?? The organization that manages the consent, and the framework within which it is executedorganization : Reference [0..*] Organization The source on which this consent statement is based. The source might be a scanned original paper form, or a reference to a consent that links back to such a source, a reference to a document repository (e.g. XDS) that stores the original consent documentsource[x] : Type [0..1] Attachment|Identifier|Reference(Consent| DocumentReference|Contract|QuestionnaireResponse) A referece to the specific computable policypolicyRule : uri [0..1]A set of security labels that define which resources are controlled by this consent. If more than one label is specified, all resources must have all the specified labelssecurityLabel : Coding [0..*] Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible)All Security Labels+ The context of the activities a user is taking - why the user is accessing the data - that are controlled by this consentpurpose : Coding [0..*] What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labels (Strength=Extensible)PurposeOfUse+ Clinical or Operational Relevant period of time that bounds the data controlled by this consentdataPeriod : Period [0..1]ActorHow the individual is involved in the resources content that is described in the consentrole : CodeableConcept [1..1] How an actor is involved in the consent considerations (Strength=Extensible)SecurityRoleType+ The resource that identifies the actor. To identify a actors by type, use group to identify a set of actors by some property they share (e.g. 'admitting officers')reference : Reference [1..1] Device|Group|CareTeam|Organization| Patient|Practitioner|RelatedPerson PolicyEntity or Organization having regulatory jurisdiction or accountability for enforcing policies pertaining to Consent Directivesauthority : uri [0..1]The references to the policies that are included in this consent scope. Policies may be organizational, but are often defined jurisdictionally, or in lawuri : uri [0..1]DataHow the resource reference is interpreted when testing consent restrictionsmeaning : code [1..1] How a resource reference is interpreted when testing consent restrictions (Strength=Required)ConsentDataMeaning! A reference to a specific resource that defines which resources are covered by this consentreference : Reference [1..1] Any ExceptAction to take - permit or deny - when the exception conditions are mettype : code [1..1] How an exception statement is applied, such as adding additional consent or removing consent (Strength=Required)ConsentExceptType! The timeframe in this exception is validperiod : Period [0..1]Actions controlled by this Exceptionaction : CodeableConcept [0..*] Detailed codes for the consent action. (Strength=Example)Consent Action ?? A set of security labels that define which resources are controlled by this exception. If more than one label is specified, all resources must have all the specified labelssecurityLabel : Coding [0..*] Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible)All Security Labels+ The context of the activities a user is taking - why the user is accessing the data - that are controlled by this exceptionpurpose : Coding [0..*] What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labels (Strength=Extensible)PurposeOfUse+ The class of information covered by this exception. The type can be a FHIR resource type, a profile on a type, or a CDA document, or some other type that indicates what sort of information the consent relates toclass : Coding [0..*] The class (type) of information a consent rule covers (Strength=Extensible)Consent Content Class+ If this code is found in an instance, then the exception appliescode : Coding [0..*] If this code is found in an instance, then the exception applies (Strength=Example)Consent Content ?? Clinical or Operational Relevant period of time that bounds the data controlled by this exceptiondataPeriod : Period [0..1]ExceptActorHow the individual is involved in the resources content that is described in the exceptionrole : CodeableConcept [1..1] How an actor is involved in the consent considerations (Strength=Extensible)SecurityRoleType+ The resource that identifies the actor. To identify a actors by type, use group to identify a set of actors by some property they share (e.g. 'admitting officers')reference : Reference [1..1] Device|Group|CareTeam|Organization| Patient|Practitioner|RelatedPerson ExceptDataHow the resource reference is interpreted when testing consent restrictionsmeaning : code [1..1] How a resource reference is interpreted when testing consent restrictions (Strength=Required)ConsentDataMeaning! A reference to a specific resource that defines which resources are covered by this consentreference : Reference [1..1] Any Who or what is controlled by this consent. Use group to identify a set of actors by some property they share (e.g. 'admitting officers')actor[0..*]The references to the policies that are included in this consent scope. Policies may be organizational, but are often defined jurisdictionally, or in lawpolicy[0..*]The resources controlled by this consent, if specific resources are referenceddata[0..*]Who or what is controlled by this Exception. Use group to identify a set of actors by some property they share (e.g. 'admitting officers')actor[0..*]The resources controlled by this exception, if specific resources are referenceddata[0..*]An exception to the base policy of this consent. An exception can be an addition or removal of access permissionsexcept[0..*]

XML Template

<Consent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <identifier><!-- 0..1 Identifier Identifier for this record (external references) --></identifier>
 <status value="[code]"/><!-- 1..1 draft | proposed | active | rejected | inactive | entered-in-error -->
 <category><!-- 0..* CodeableConcept Classification of the consent statement - for indexing/retrieval --></category>
 <patient><!-- 1..1 Reference(Patient) Who the consent applies to --></patient>
 <period><!-- 0..1 Period Period that this consent applies --></period>
 <dateTime value="[dateTime]"/><!-- 0..1 When this Consent was created or indexed -->
 <consentingParty><!-- 0..* Reference(Organization|Patient|Practitioner|
   RelatedPerson) Who is agreeing to the policy and exceptions --></consentingParty>
 <actor>  <!-- 0..* Who|what controlled by this consent (or group, by role) -->
  <role><!-- 1..1 CodeableConcept How the actor is involved --></role>
  <reference><!-- 1..1 Reference(Device|Group|CareTeam|Organization|Patient|
    Practitioner|RelatedPerson) Resource for the actor (or group, by role) --></reference>
 </actor>
 <action><!-- 0..* CodeableConcept Actions controlled by this consent --></action>
 <organization><!-- 0..* Reference(Organization) Custodian of the consent --></organization>
 <source[x]><!-- 0..1 Attachment|Identifier|Reference(Consent|DocumentReference|
   Contract|QuestionnaireResponse) Source from which this consent is taken --></source[x]>
 <policy>  <!-- 0..* Policies covered by this consent -->
  <authority value="[uri]"/><!-- ?? 0..1 Enforcement source for policy -->
  <uri value="[uri]"/><!-- ?? 0..1 Specific policy covered by this consent -->
 </policy>
 <policyRule value="[uri]"/><!-- ?? 0..1 Policy that this consents to -->
 <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
 <purpose><!-- 0..* Coding Context of activities for which the agreement is made --></purpose>
 <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this consent --></dataPeriod>
 <data>  <!-- 0..* Data controlled by this consent -->
  <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
  <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
 </data>
 <except>  <!-- 0..* Additional rule -  addition or removal of permissions -->
  <type value="[code]"/><!-- 1..1 deny | permit -->
  <period><!-- 0..1 Period Timeframe for this exception --></period>
  <actor>  <!-- 0..* Who|what controlled by this exception (or group, by role) -->
   <role><!-- 1..1 CodeableConcept How the actor is involved --></role>
   <reference><!-- 1..1 Reference(Device|Group|CareTeam|Organization|Patient|
     Practitioner|RelatedPerson) Resource for the actor (or group, by role) --></reference>
  </actor>
  <action><!-- 0..* CodeableConcept Actions controlled by this exception --></action>
  <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
  <purpose><!-- 0..* Coding Context of activities covered by this exception --></purpose>
  <class><!-- 0..* Coding e.g. Resource Type, Profile, or CDA etc --></class>
  <code><!-- 0..* Coding e.g. LOINC or SNOMED CT code, etc in the content --></code>
  <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this exception --></dataPeriod>
  <data>  <!-- 0..* Data controlled by this exception -->
   <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
   <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
  </data>
 </except>
</Consent>

JSON Template

{doco
  "resourceType" : "Consent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "identifier" : { Identifier }, // Identifier for this record (external references)
  "status" : "<code>", // R!  draft | proposed | active | rejected | inactive | entered-in-error
  "category" : [{ CodeableConcept }], // Classification of the consent statement - for indexing/retrieval
  "patient" : { Reference(Patient) }, // R!  Who the consent applies to
  "period" : { Period }, // Period that this consent applies
  "dateTime" : "<dateTime>", // When this Consent was created or indexed
  "consentingParty" : [{ Reference(Organization|Patient|Practitioner|
   RelatedPerson) }], // Who is agreeing to the policy and exceptions
  "actor" : [{ // Who|what controlled by this consent (or group, by role)
    "role" : { CodeableConcept }, // R!  How the actor is involved
    "reference" : { Reference(Device|Group|CareTeam|Organization|Patient|
    Practitioner|RelatedPerson) } // R!  Resource for the actor (or group, by role)
  }],
  "action" : [{ CodeableConcept }], // Actions controlled by this consent
  "organization" : [{ Reference(Organization) }], // Custodian of the consent
  // source[x]: Source from which this consent is taken. One of these 3:
  "sourceAttachment" : { Attachment },
  "sourceIdentifier" : { Identifier },
  "sourceReference" : { Reference(Consent|DocumentReference|Contract|
   QuestionnaireResponse) },
  "policy" : [{ // Policies covered by this consent
    "authority" : "<uri>", // C? Enforcement source for policy
    "uri" : "<uri>" // C? Specific policy covered by this consent
  }],
  "policyRule" : "<uri>", // C? Policy that this consents to
  "securityLabel" : [{ Coding }], // Security Labels that define affected resources
  "purpose" : [{ Coding }], // Context of activities for which the agreement is made
  "dataPeriod" : { Period }, // Timeframe for data controlled by this consent
  "data" : [{ // Data controlled by this consent
    "meaning" : "<code>", // R!  instance | related | dependents | authoredby
    "reference" : { Reference(Any) } // R!  The actual data reference
  }],
  "except" : [{ // Additional rule -  addition or removal of permissions
    "type" : "<code>", // R!  deny | permit
    "period" : { Period }, // Timeframe for this exception
    "actor" : [{ // Who|what controlled by this exception (or group, by role)
      "role" : { CodeableConcept }, // R!  How the actor is involved
      "reference" : { Reference(Device|Group|CareTeam|Organization|Patient|
     Practitioner|RelatedPerson) } // R!  Resource for the actor (or group, by role)
    }],
    "action" : [{ CodeableConcept }], // Actions controlled by this exception
    "securityLabel" : [{ Coding }], // Security Labels that define affected resources
    "purpose" : [{ Coding }], // Context of activities covered by this exception
    "class" : [{ Coding }], // e.g. Resource Type, Profile, or CDA etc
    "code" : [{ Coding }], // e.g. LOINC or SNOMED CT code, etc in the content
    "dataPeriod" : { Period }, // Timeframe for data controlled by this exception
    "data" : [{ // Data controlled by this exception
      "meaning" : "<code>", // R!  instance | related | dependents | authoredby
      "reference" : { Reference(Any) } // R!  The actual data reference
    }]
  }]
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .doco


[ a fhir:Consent;
  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:Consent.identifier [ Identifier ]; # 0..1 Identifier for this record (external references)
  fhir:Consent.status [ code ]; # 1..1 draft | proposed | active | rejected | inactive | entered-in-error
  fhir:Consent.category [ CodeableConcept ], ... ; # 0..* Classification of the consent statement - for indexing/retrieval
  fhir:Consent.patient [ Reference(Patient) ]; # 1..1 Who the consent applies to
  fhir:Consent.period [ Period ]; # 0..1 Period that this consent applies
  fhir:Consent.dateTime [ dateTime ]; # 0..1 When this Consent was created or indexed
  fhir:Consent.consentingParty [ Reference(Organization|Patient|Practitioner|RelatedPerson) ], ... ; # 0..* Who is agreeing to the policy and exceptions
  fhir:Consent.actor [ # 0..* Who|what controlled by this consent (or group, by role)
    fhir:Consent.actor.role [ CodeableConcept ]; # 1..1 How the actor is involved
    fhir:Consent.actor.reference [ Reference(Device|Group|CareTeam|Organization|Patient|Practitioner|RelatedPerson) ]; # 1..1 Resource for the actor (or group, by role)
  ], ...;
  fhir:Consent.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this consent
  fhir:Consent.organization [ Reference(Organization) ], ... ; # 0..* Custodian of the consent
  # Consent.source[x] : 0..1 Source from which this consent is taken. One of these 3
    fhir:Consent.sourceAttachment [ Attachment ]
    fhir:Consent.sourceIdentifier [ Identifier ]
    fhir:Consent.sourceReference [ Reference(Consent|DocumentReference|Contract|QuestionnaireResponse) ]
  fhir:Consent.policy [ # 0..* Policies covered by this consent
    fhir:Consent.policy.authority [ uri ]; # 0..1 Enforcement source for policy
    fhir:Consent.policy.uri [ uri ]; # 0..1 Specific policy covered by this consent
  ], ...;
  fhir:Consent.policyRule [ uri ]; # 0..1 Policy that this consents to
  fhir:Consent.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
  fhir:Consent.purpose [ Coding ], ... ; # 0..* Context of activities for which the agreement is made
  fhir:Consent.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this consent
  fhir:Consent.data [ # 0..* Data controlled by this consent
    fhir:Consent.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
    fhir:Consent.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
  ], ...;
  fhir:Consent.except [ # 0..* Additional rule -  addition or removal of permissions
    fhir:Consent.except.type [ code ]; # 1..1 deny | permit
    fhir:Consent.except.period [ Period ]; # 0..1 Timeframe for this exception
    fhir:Consent.except.actor [ # 0..* Who|what controlled by this exception (or group, by role)
      fhir:Consent.except.actor.role [ CodeableConcept ]; # 1..1 How the actor is involved
      fhir:Consent.except.actor.reference [ Reference(Device|Group|CareTeam|Organization|Patient|Practitioner|RelatedPerson) ]; # 1..1 Resource for the actor (or group, by role)
    ], ...;
    fhir:Consent.except.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this exception
    fhir:Consent.except.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
    fhir:Consent.except.purpose [ Coding ], ... ; # 0..* Context of activities covered by this exception
    fhir:Consent.except.class [ Coding ], ... ; # 0..* e.g. Resource Type, Profile, or CDA etc
    fhir:Consent.except.code [ Coding ], ... ; # 0..* e.g. LOINC or SNOMED CT code, etc in the content
    fhir:Consent.except.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this exception
    fhir:Consent.except.data [ # 0..* Data controlled by this exception
      fhir:Consent.except.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
      fhir:Consent.except.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
    ], ...;
  ], ...;
]

Changes since DSTU2

This resource did not exist in Release 2

This analysis is available as XML or JSON.

Structure

NameFlagsCard.TypeDescription & Constraintsdoco
.. Consent IDomainResourceA healthcare consumer's policy choices to permits or denies recipients or roles to perform actions for specific purposes and periods of time
+ Either a Policy or PolicyRule
Elements defined in Ancestors: id, meta, implicitRules, language, text, contained, extension, modifierExtension
... identifier Σ0..1IdentifierIdentifier for this record (external references)
... status ?!Σ1..1codedraft | proposed | active | rejected | inactive | entered-in-error
ConsentState (Required)
... category Σ0..*CodeableConceptClassification of the consent statement - for indexing/retrieval
Consent Category Codes (Example)
... patient Σ1..1Reference(Patient)Who the consent applies to
... period Σ0..1PeriodPeriod that this consent applies
... dateTime Σ0..1dateTimeWhen this Consent was created or indexed
... consentingParty Σ0..*Reference(Organization | Patient | Practitioner | RelatedPerson)Who is agreeing to the policy and exceptions
... actor Σ0..*BackboneElementWho|what controlled by this consent (or group, by role)
.... role 1..1CodeableConceptHow the actor is involved
SecurityRoleType (Extensible)
.... reference 1..1Reference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson)Resource for the actor (or group, by role)
... action Σ0..*CodeableConceptActions controlled by this consent
Consent Action Codes (Example)
... organization Σ0..*Reference(Organization)Custodian of the consent
... source[x] Σ0..1Source from which this consent is taken
.... sourceAttachmentAttachment
.... sourceIdentifierIdentifier
.... sourceReferenceReference(Consent | DocumentReference | Contract | QuestionnaireResponse)
... policy 0..*BackboneElementPolicies covered by this consent
.... authority I0..1uriEnforcement source for policy
.... uri I0..1uriSpecific policy covered by this consent
... policyRule ΣI0..1uriPolicy that this consents to
... securityLabel Σ0..*CodingSecurity Labels that define affected resources
All Security Labels (Extensible)
... purpose Σ0..*CodingContext of activities for which the agreement is made
PurposeOfUse (Extensible)
... dataPeriod Σ0..1PeriodTimeframe for data controlled by this consent
... data Σ0..*BackboneElementData controlled by this consent
.... meaning Σ1..1codeinstance | related | dependents | authoredby
ConsentDataMeaning (Required)
.... reference Σ1..1Reference(Any)The actual data reference
... except Σ0..*BackboneElementAdditional rule - addition or removal of permissions
.... type Σ1..1codedeny | permit
ConsentExceptType (Required)
.... period Σ0..1PeriodTimeframe for this exception
.... actor Σ0..*BackboneElementWho|what controlled by this exception (or group, by role)
..... role 1..1CodeableConceptHow the actor is involved
SecurityRoleType (Extensible)
..... reference 1..1Reference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson)Resource for the actor (or group, by role)
.... action Σ0..*CodeableConceptActions controlled by this exception
Consent Action Codes (Example)
.... securityLabel Σ0..*CodingSecurity Labels that define affected resources
All Security Labels (Extensible)
.... purpose Σ0..*CodingContext of activities covered by this exception
PurposeOfUse (Extensible)
.... class Σ0..*Codinge.g. Resource Type, Profile, or CDA etc
Consent Content Class (Extensible)
.... code Σ0..*Codinge.g. LOINC or SNOMED CT code, etc in the content
Consent Content Codes (Example)
.... dataPeriod Σ0..1PeriodTimeframe for data controlled by this exception
.... data Σ0..*BackboneElementData controlled by this exception
..... meaning Σ1..1codeinstance | related | dependents | authoredby
ConsentDataMeaning (Required)
..... reference Σ1..1Reference(Any)The actual data reference

doco Documentation for this format

UML Diagram (Legend)

Consent (DomainResource)Unique identifier for this copy of the Consent Statementidentifier : Identifier [0..1]Indicates the current state of this consent (this element modifies the meaning of other elements)status : code [1..1] Indicates the state of the consent (Strength=Required)ConsentState! A classification of the type of consents found in the statement. This element supports indexing and retrieval of consent statementscategory : CodeableConcept [0..*] A classification of the type of consents found in a consent statement (Strength=Example)Consent Category ?? The patient/healthcare consumer to whom this consent appliespatient : Reference [1..1] Patient Relevant time or time-period when this Consent is applicableperiod : Period [0..1]When this Consent was issued / created / indexeddateTime : dateTime [0..1]Either the Grantor, which is the entity responsible for granting the rights listed in a Consent Directive or the Grantee, which is the entity responsible for complying with the Consent Directive, including any obligations or limitations on authorizations and enforcement of prohibitionsconsentingParty : Reference [0..*] Organization|Patient| Practitioner|RelatedPerson Actions controlled by this consentaction : CodeableConcept [0..*] Detailed codes for the consent action. (Strength=Example)Consent Action ?? The organization that manages the consent, and the framework within which it is executedorganization : Reference [0..*] Organization The source on which this consent statement is based. The source might be a scanned original paper form, or a reference to a consent that links back to such a source, a reference to a document repository (e.g. XDS) that stores the original consent documentsource[x] : Type [0..1] Attachment|Identifier|Reference(Consent| DocumentReference|Contract|QuestionnaireResponse) A referece to the specific computable policypolicyRule : uri [0..1]A set of security labels that define which resources are controlled by this consent. If more than one label is specified, all resources must have all the specified labelssecurityLabel : Coding [0..*] Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible)All Security Labels+ The context of the activities a user is taking - why the user is accessing the data - that are controlled by this consentpurpose : Coding [0..*] What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labels (Strength=Extensible)PurposeOfUse+ Clinical or Operational Relevant period of time that bounds the data controlled by this consentdataPeriod : Period [0..1]ActorHow the individual is involved in the resources content that is described in the consentrole : CodeableConcept [1..1] How an actor is involved in the consent considerations (Strength=Extensible)SecurityRoleType+ The resource that identifies the actor. To identify a actors by type, use group to identify a set of actors by some property they share (e.g. 'admitting officers')reference : Reference [1..1] Device|Group|CareTeam|Organization| Patient|Practitioner|RelatedPerson PolicyEntity or Organization having regulatory jurisdiction or accountability for enforcing policies pertaining to Consent Directivesauthority : uri [0..1]The references to the policies that are included in this consent scope. Policies may be organizational, but are often defined jurisdictionally, or in lawuri : uri [0..1]DataHow the resource reference is interpreted when testing consent restrictionsmeaning : code [1..1] How a resource reference is interpreted when testing consent restrictions (Strength=Required)ConsentDataMeaning! A reference to a specific resource that defines which resources are covered by this consentreference : Reference [1..1] Any ExceptAction to take - permit or deny - when the exception conditions are mettype : code [1..1] How an exception statement is applied, such as adding additional consent or removing consent (Strength=Required)ConsentExceptType! The timeframe in this exception is validperiod : Period [0..1]Actions controlled by this Exceptionaction : CodeableConcept [0..*] Detailed codes for the consent action. (Strength=Example)Consent Action ?? A set of security labels that define which resources are controlled by this exception. If more than one label is specified, all resources must have all the specified labelssecurityLabel : Coding [0..*] Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible)All Security Labels+ The context of the activities a user is taking - why the user is accessing the data - that are controlled by this exceptionpurpose : Coding [0..*] What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labels (Strength=Extensible)PurposeOfUse+ The class of information covered by this exception. The type can be a FHIR resource type, a profile on a type, or a CDA document, or some other type that indicates what sort of information the consent relates toclass : Coding [0..*] The class (type) of information a consent rule covers (Strength=Extensible)Consent Content Class+ If this code is found in an instance, then the exception appliescode : Coding [0..*] If this code is found in an instance, then the exception applies (Strength=Example)Consent Content ?? Clinical or Operational Relevant period of time that bounds the data controlled by this exceptiondataPeriod : Period [0..1]ExceptActorHow the individual is involved in the resources content that is described in the exceptionrole : CodeableConcept [1..1] How an actor is involved in the consent considerations (Strength=Extensible)SecurityRoleType+ The resource that identifies the actor. To identify a actors by type, use group to identify a set of actors by some property they share (e.g. 'admitting officers')reference : Reference [1..1] Device|Group|CareTeam|Organization| Patient|Practitioner|RelatedPerson ExceptDataHow the resource reference is interpreted when testing consent restrictionsmeaning : code [1..1] How a resource reference is interpreted when testing consent restrictions (Strength=Required)ConsentDataMeaning! A reference to a specific resource that defines which resources are covered by this consentreference : Reference [1..1] Any Who or what is controlled by this consent. Use group to identify a set of actors by some property they share (e.g. 'admitting officers')actor[0..*]The references to the policies that are included in this consent scope. Policies may be organizational, but are often defined jurisdictionally, or in lawpolicy[0..*]The resources controlled by this consent, if specific resources are referenceddata[0..*]Who or what is controlled by this Exception. Use group to identify a set of actors by some property they share (e.g. 'admitting officers')actor[0..*]The resources controlled by this exception, if specific resources are referenceddata[0..*]An exception to the base policy of this consent. An exception can be an addition or removal of access permissionsexcept[0..*]

XML Template

<Consent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <identifier><!-- 0..1 Identifier Identifier for this record (external references) --></identifier>
 <status value="[code]"/><!-- 1..1 draft | proposed | active | rejected | inactive | entered-in-error -->
 <category><!-- 0..* CodeableConcept Classification of the consent statement - for indexing/retrieval --></category>
 <patient><!-- 1..1 Reference(Patient) Who the consent applies to --></patient>
 <period><!-- 0..1 Period Period that this consent applies --></period>
 <dateTime value="[dateTime]"/><!-- 0..1 When this Consent was created or indexed -->
 <consentingParty><!-- 0..* Reference(Organization|Patient|Practitioner|
   RelatedPerson) Who is agreeing to the policy and exceptions --></consentingParty>
 <actor>  <!-- 0..* Who|what controlled by this consent (or group, by role) -->
  <role><!-- 1..1 CodeableConcept How the actor is involved --></role>
  <reference><!-- 1..1 Reference(Device|Group|CareTeam|Organization|Patient|
    Practitioner|RelatedPerson) Resource for the actor (or group, by role) --></reference>
 </actor>
 <action><!-- 0..* CodeableConcept Actions controlled by this consent --></action>
 <organization><!-- 0..* Reference(Organization) Custodian of the consent --></organization>
 <source[x]><!-- 0..1 Attachment|Identifier|Reference(Consent|DocumentReference|
   Contract|QuestionnaireResponse) Source from which this consent is taken --></source[x]>
 <policy>  <!-- 0..* Policies covered by this consent -->
  <authority value="[uri]"/><!-- ?? 0..1 Enforcement source for policy -->
  <uri value="[uri]"/><!-- ?? 0..1 Specific policy covered by this consent -->
 </policy>
 <policyRule value="[uri]"/><!-- ?? 0..1 Policy that this consents to -->
 <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
 <purpose><!-- 0..* Coding Context of activities for which the agreement is made --></purpose>
 <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this consent --></dataPeriod>
 <data>  <!-- 0..* Data controlled by this consent -->
  <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
  <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
 </data>
 <except>  <!-- 0..* Additional rule -  addition or removal of permissions -->
  <type value="[code]"/><!-- 1..1 deny | permit -->
  <period><!-- 0..1 Period Timeframe for this exception --></period>
  <actor>  <!-- 0..* Who|what controlled by this exception (or group, by role) -->
   <role><!-- 1..1 CodeableConcept How the actor is involved --></role>
   <reference><!-- 1..1 Reference(Device|Group|CareTeam|Organization|Patient|
     Practitioner|RelatedPerson) Resource for the actor (or group, by role) --></reference>
  </actor>
  <action><!-- 0..* CodeableConcept Actions controlled by this exception --></action>
  <securityLabel><!-- 0..* Coding Security Labels that define affected resources --></securityLabel>
  <purpose><!-- 0..* Coding Context of activities covered by this exception --></purpose>
  <class><!-- 0..* Coding e.g. Resource Type, Profile, or CDA etc --></class>
  <code><!-- 0..* Coding e.g. LOINC or SNOMED CT code, etc in the content --></code>
  <dataPeriod><!-- 0..1 Period Timeframe for data controlled by this exception --></dataPeriod>
  <data>  <!-- 0..* Data controlled by this exception -->
   <meaning value="[code]"/><!-- 1..1 instance | related | dependents | authoredby -->
   <reference><!-- 1..1 Reference(Any) The actual data reference --></reference>
  </data>
 </except>
</Consent>

JSON Template

{doco
  "resourceType" : "Consent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "identifier" : { Identifier }, // Identifier for this record (external references)
  "status" : "<code>", // R!  draft | proposed | active | rejected | inactive | entered-in-error
  "category" : [{ CodeableConcept }], // Classification of the consent statement - for indexing/retrieval
  "patient" : { Reference(Patient) }, // R!  Who the consent applies to
  "period" : { Period }, // Period that this consent applies
  "dateTime" : "<dateTime>", // When this Consent was created or indexed
  "consentingParty" : [{ Reference(Organization|Patient|Practitioner|
   RelatedPerson) }], // Who is agreeing to the policy and exceptions
  "actor" : [{ // Who|what controlled by this consent (or group, by role)
    "role" : { CodeableConcept }, // R!  How the actor is involved
    "reference" : { Reference(Device|Group|CareTeam|Organization|Patient|
    Practitioner|RelatedPerson) } // R!  Resource for the actor (or group, by role)
  }],
  "action" : [{ CodeableConcept }], // Actions controlled by this consent
  "organization" : [{ Reference(Organization) }], // Custodian of the consent
  // source[x]: Source from which this consent is taken. One of these 3:
  "sourceAttachment" : { Attachment },
  "sourceIdentifier" : { Identifier },
  "sourceReference" : { Reference(Consent|DocumentReference|Contract|
   QuestionnaireResponse) },
  "policy" : [{ // Policies covered by this consent
    "authority" : "<uri>", // C? Enforcement source for policy
    "uri" : "<uri>" // C? Specific policy covered by this consent
  }],
  "policyRule" : "<uri>", // C? Policy that this consents to
  "securityLabel" : [{ Coding }], // Security Labels that define affected resources
  "purpose" : [{ Coding }], // Context of activities for which the agreement is made
  "dataPeriod" : { Period }, // Timeframe for data controlled by this consent
  "data" : [{ // Data controlled by this consent
    "meaning" : "<code>", // R!  instance | related | dependents | authoredby
    "reference" : { Reference(Any) } // R!  The actual data reference
  }],
  "except" : [{ // Additional rule -  addition or removal of permissions
    "type" : "<code>", // R!  deny | permit
    "period" : { Period }, // Timeframe for this exception
    "actor" : [{ // Who|what controlled by this exception (or group, by role)
      "role" : { CodeableConcept }, // R!  How the actor is involved
      "reference" : { Reference(Device|Group|CareTeam|Organization|Patient|
     Practitioner|RelatedPerson) } // R!  Resource for the actor (or group, by role)
    }],
    "action" : [{ CodeableConcept }], // Actions controlled by this exception
    "securityLabel" : [{ Coding }], // Security Labels that define affected resources
    "purpose" : [{ Coding }], // Context of activities covered by this exception
    "class" : [{ Coding }], // e.g. Resource Type, Profile, or CDA etc
    "code" : [{ Coding }], // e.g. LOINC or SNOMED CT code, etc in the content
    "dataPeriod" : { Period }, // Timeframe for data controlled by this exception
    "data" : [{ // Data controlled by this exception
      "meaning" : "<code>", // R!  instance | related | dependents | authoredby
      "reference" : { Reference(Any) } // R!  The actual data reference
    }]
  }]
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .doco


[ a fhir:Consent;
  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:Consent.identifier [ Identifier ]; # 0..1 Identifier for this record (external references)
  fhir:Consent.status [ code ]; # 1..1 draft | proposed | active | rejected | inactive | entered-in-error
  fhir:Consent.category [ CodeableConcept ], ... ; # 0..* Classification of the consent statement - for indexing/retrieval
  fhir:Consent.patient [ Reference(Patient) ]; # 1..1 Who the consent applies to
  fhir:Consent.period [ Period ]; # 0..1 Period that this consent applies
  fhir:Consent.dateTime [ dateTime ]; # 0..1 When this Consent was created or indexed
  fhir:Consent.consentingParty [ Reference(Organization|Patient|Practitioner|RelatedPerson) ], ... ; # 0..* Who is agreeing to the policy and exceptions
  fhir:Consent.actor [ # 0..* Who|what controlled by this consent (or group, by role)
    fhir:Consent.actor.role [ CodeableConcept ]; # 1..1 How the actor is involved
    fhir:Consent.actor.reference [ Reference(Device|Group|CareTeam|Organization|Patient|Practitioner|RelatedPerson) ]; # 1..1 Resource for the actor (or group, by role)
  ], ...;
  fhir:Consent.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this consent
  fhir:Consent.organization [ Reference(Organization) ], ... ; # 0..* Custodian of the consent
  # Consent.source[x] : 0..1 Source from which this consent is taken. One of these 3
    fhir:Consent.sourceAttachment [ Attachment ]
    fhir:Consent.sourceIdentifier [ Identifier ]
    fhir:Consent.sourceReference [ Reference(Consent|DocumentReference|Contract|QuestionnaireResponse) ]
  fhir:Consent.policy [ # 0..* Policies covered by this consent
    fhir:Consent.policy.authority [ uri ]; # 0..1 Enforcement source for policy
    fhir:Consent.policy.uri [ uri ]; # 0..1 Specific policy covered by this consent
  ], ...;
  fhir:Consent.policyRule [ uri ]; # 0..1 Policy that this consents to
  fhir:Consent.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
  fhir:Consent.purpose [ Coding ], ... ; # 0..* Context of activities for which the agreement is made
  fhir:Consent.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this consent
  fhir:Consent.data [ # 0..* Data controlled by this consent
    fhir:Consent.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
    fhir:Consent.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
  ], ...;
  fhir:Consent.except [ # 0..* Additional rule -  addition or removal of permissions
    fhir:Consent.except.type [ code ]; # 1..1 deny | permit
    fhir:Consent.except.period [ Period ]; # 0..1 Timeframe for this exception
    fhir:Consent.except.actor [ # 0..* Who|what controlled by this exception (or group, by role)
      fhir:Consent.except.actor.role [ CodeableConcept ]; # 1..1 How the actor is involved
      fhir:Consent.except.actor.reference [ Reference(Device|Group|CareTeam|Organization|Patient|Practitioner|RelatedPerson) ]; # 1..1 Resource for the actor (or group, by role)
    ], ...;
    fhir:Consent.except.action [ CodeableConcept ], ... ; # 0..* Actions controlled by this exception
    fhir:Consent.except.securityLabel [ Coding ], ... ; # 0..* Security Labels that define affected resources
    fhir:Consent.except.purpose [ Coding ], ... ; # 0..* Context of activities covered by this exception
    fhir:Consent.except.class [ Coding ], ... ; # 0..* e.g. Resource Type, Profile, or CDA etc
    fhir:Consent.except.code [ Coding ], ... ; # 0..* e.g. LOINC or SNOMED CT code, etc in the content
    fhir:Consent.except.dataPeriod [ Period ]; # 0..1 Timeframe for data controlled by this exception
    fhir:Consent.except.data [ # 0..* Data controlled by this exception
      fhir:Consent.except.data.meaning [ code ]; # 1..1 instance | related | dependents | authoredby
      fhir:Consent.except.data.reference [ Reference(Any) ]; # 1..1 The actual data reference
    ], ...;
  ], ...;
]

Changes since DSTU2

This resource did not exist in Release 2

This analysis is available as XML or JSON.

 

Alternate definitions: Master Definition (XML, JSON), XML Schema/Schematron (for ) + JSON Schema, ShEx (for Turtle)

PathDefinitionTypeReference
Consent.status Indicates the state of the consentRequiredConsentState
Consent.category A classification of the type of consents found in a consent statementExampleConsent Category Codes
Consent.actor.role
Consent.except.actor.role
How an actor is involved in the consent considerationsExtensibleSecurityRoleType
Consent.action
Consent.except.action
Detailed codes for the consent action.ExampleConsent Action Codes
Consent.securityLabel
Consent.except.securityLabel
Security Labels from the Healthcare Privacy and Security Classification System.ExtensibleAll Security Labels
Consent.purpose
Consent.except.purpose
What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labelsExtensiblePurposeOfUse
Consent.data.meaning
Consent.except.data.meaning
How a resource reference is interpreted when testing consent restrictionsRequiredConsentDataMeaning
Consent.except.type How an exception statement is applied, such as adding additional consent or removing consentRequiredConsentExceptType
Consent.except.class The class (type) of information a consent rule coversExtensibleConsent Content Class
Consent.except.code If this code is found in an instance, then the exception appliesExampleConsent Content Codes

  • ppc-1: Either a Policy or PolicyRule (expression : policy.exists() or policyRule.exists())

This specification defines 2 magic values for consent policyRule:

URI Description
http://hl7.org/fhir/ConsentPolicy/opt-out The basic 'deny' policy is to grant no authority for data access or use. No actions are approved, unless they are explicitly detailed in the exceptions
http://hl7.org/fhir/ConsentPolicy/opt-in The basic 'permit' policy is to grant generally acceptable authority for data access and use. All generally acceptable actions are approved, unless they are explicitly detailed in the exceptions

Other jurisdictions (e.g. HL7 Affiliates) may define their additional lists of consent policy URI values that represent consent policies established by law or regulation

The Consent resource has a reference to a single policyRule. Many organizations will work in a context where multiple different consent regulations and policies apply. In these cases, the single policy rule reference refers to a policy document that resolves and reconciles the various policies, and presents a single policy for patient consent. If it is still necessary to track which of the underlying policies an exception is make in regard to, the policy may be used.

The following is the general model of Privacy Consent Directives.

There are context setting parameters:

  1. Who - The patient
  2. What - The data - specific resources are listed, empty list means all data covered by the consent.
  3. Where - The domain and authority - what is the location boundary and authority boundary of this consent
  4. When - The issued or captured
  5. When - The timeframe for which the Consent applies
  6. How - The actions covered. (such as purposes of use that are covered)
  7. Whom - The recipient are grantees by the consent.

A Privacy Consent may transition through many states including: that no consent has been sought, consent has been proposed, consent has been rejected, and consent approved.

There are set of patterns.

  1. No consent: All settings need a policy for when no consent has been captured. Often this allows treatment only.;
  2. Opt-out: No sharing allowed for the specified domain, location, actions, and purposes;
  3. Opt-out with exceptions: No sharing allowed, with some exceptions where it is allowed. Example: Withhold Authorization for Treatment except for Emergency Treatment;
  4. Opt-in: Sharing for some purpose of use is authorized Sharing allowed for Treatment, Payment, and normal Operations; and
  5. Opt-in with restrictions: Sharing allowed, but the patient may make exceptions (See the Canadian examples).

For each of these patterns (positive or negative pattern), there can be exceptions. These exceptions are explicitly recorded in the except element.

Five categories of Privacy Consent Directives are described in the Office of the National Coordinator for Health Information (ONC) Consent Directives Document released March 31, 2010, and include the following US-specific “Core consent options” for electronic exchange:

  1. No consent: Health information of patients is automatically included—patients cannot opt out;
  2. Opt-out: Default is for health information of patients to be included automatically, but the patient can opt out completely;
  3. Opt-out with exceptions: Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included;
  4. Opt-in: Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out; and
  5. Opt-in with restrictions: Default is that no patient health information is made available, but the patient may allow a subset of select data to be included.

A common exception is to explicitly exclude or explicitly include a period of time.

The following scenarios are based on existing jurisdictional policy and are realized in existing systems in Canada. The default policy is one of implied consent for the provision of care, so these scenarios all deal with withdrawal or withholding consent for that purpose. In other jurisdictions, where an express consent model is used (Opt-In), these examples would contain the phrase "consent to" rather than "withhold" or "withdraw" consent for.

  1. Withhold or withdraw consent for disclosure of records related to specific domain (e.g. DI, LAB, etc.)
  2. Withhold or withdraw consent for disclosure of a specific record (e.g. Lab Order/Result)
  3. Withhold or withdraw consent for disclosure to a specific provider organization
  4. Withhold or withdraw consent for disclosure to a specific provider agent (an individual within an organization)
  5. Withhold or withdraw consent for disclosure of records that were authored by a specific organization (or service delivery location).
  6. Combinations of the above

Also shown is an example where a Patient has authorized disclosure to a specific individual for purposes directed by the patient (possibly not a treatment case).

Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.

NameTypeDescriptionExpressionIn Common
actiontokenActions controlled by this consentConsent.action | Consent.except.action
actorreferenceResource for the actor (or group, by role)Consent.actor.reference | Consent.except.actor.reference
(Practitioner, Group, Organization, CareTeam, Device, Patient, RelatedPerson)
categorytokenClassification of the consent statement - for indexing/retrievalConsent.category
consentorreferenceWho is agreeing to the policy and exceptionsConsent.consentingParty
(Practitioner, Organization, Patient, RelatedPerson)
datareferenceThe actual data referenceConsent.data.reference | Consent.except.data.reference
(Any)
datedateWhen this Consent was created or indexedConsent.dateTime18 Resources
identifiertokenIdentifier for this record (external references)Consent.identifier26 Resources
organizationreferenceCustodian of the consentConsent.organization
(Organization)
patientreferenceWho the consent applies toConsent.patient
(Patient)
31 Resources
perioddatePeriod that this consent appliesConsent.period
purposetokenContext of activities for which the agreement is madeConsent.purpose | Consent.except.purpose
securitylabeltokenSecurity Labels that define affected resourcesConsent.securityLabel | Consent.except.securityLabel
sourcereferenceSource from which this consent is takenConsent.source
(Consent, Contract, QuestionnaireResponse, DocumentReference)
statustokendraft | proposed | active | rejected | inactive | entered-in-errorConsent.status