Consent

A record of a healthcare consumer’s choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time.

Schema

Elements

Name	Required	Type	Description
identifier		Identifier[]	Identifier for this record (external references) Details Unique identifier for this copy of the Consent Statement. This identifier identifies this copy of the consent. Where this identifier is also used elsewhere as the identifier for a consent record (e.g. a CDA consent document) then the consent details are expected to be the same.
status	✓	code	draft | proposed | active | rejected | inactive | entered-in-error Details Indicates the current state of this consent. This element is labeled as a modifier because the status contains the codes rejected and entered-in-error that mark the Consent as not currently valid.
scope	✓	CodeableConcept	Which of the four areas this resource covers (extensible) Details A selector of the type of consent being presented: ADR, Privacy, Treatment, Research. This list is now extensible.
category	✓	CodeableConcept[]	Classification of the consent statement - for indexing/retrieval Details A classification of the type of consents found in the statement. This element supports indexing and retrieval of consent statements.
patient		Reference<Patient>	Who the consent applies to Details The patient/healthcare consumer to whom this consent applies. Commonly, the patient the consent pertains to is the author, but for young and old people, it may be some other person.
dateTime		dateTime	When this Consent was created or indexed Details When this Consent was issued / created / indexed. This is not the time of the original consent, but the time that this statement was made or derived.
performer		Reference< Organization | Patient | Practitioner | RelatedPerson | PractitionerRole >[]	Who is agreeing to the policy and rules Details Either the Grantor, which is the entity responsible for granting the rights listed in a Consent Directive or the Grantee, which is the entity responsible for complying with the Consent Directive, including any obligations or limitations on authorizations and enforcement of prohibitions. Commonly, the patient the consent pertains to is the consentor, but particularly for young and old people, it may be some other person - e.g. a legal guardian.
organization		Reference<Organization>[]	Custodian of the consent Details The organization that manages the consent, and the framework within which it is executed.
source[x]		Attachment, Reference< Consent | DocumentReference | Contract | QuestionnaireResponse >	Source from which this consent is taken Details The source on which this consent statement is based. The source might be a scanned original paper form, or a reference to a consent that links back to such a source, a reference to a document repository (e.g. XDS) that stores the original consent document. The source can be contained inline (Attachment), referenced directly (Consent), referenced in a consent repository (DocumentReference), or simply by an identifier (Identifier), e.g. a CDA document id.
policy		ConsentPolicy[]	Policies covered by this consent Details The references to the policies that are included in this consent scope. Policies may be organizational, but are often defined jurisdictionally, or in law.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
authority		uri	Enforcement source for policy Details Entity or Organization having regulatory jurisdiction or accountability for enforcing policies pertaining to Consent Directives.
uri		uri	Specific policy covered by this consent Details The references to the policies that are included in this consent scope. Policies may be organizational, but are often defined jurisdictionally, or in law. This element is for discoverability / documentation and does not modify or qualify the policy rules.
policyRule		CodeableConcept	Regulation that this consents to Details A reference to the specific base computable regulation or policy. If the policyRule is absent, computable consent would need to be constructed from the elements of the Consent resource.
verification		ConsentVerification[]	Consent Verified by patient or family Details Whether a treatment instruction (e.g. artificial respiration yes or no) was verified with the patient, his/her family or another authorized person.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
verified	✓	boolean	Has been verified Details Has the instruction been verified.
verifiedWith		Reference<Patient | RelatedPerson>	Person who verified Details Who verified the instruction (Patient, Relative or other Authorized Person).
verificationDate		dateTime	When consent verified Details Date verification was collected.
provision		ConsentProvision	Constraints to the base Consent.policyRule Details An exception to the base policy of this consent. An exception can be an addition or removal of access permissions.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
type		code	deny | permit Details Action to take - permit or deny - when the rule conditions are met. Not permitted in root rule, required in all nested rules.
period		Period	Timeframe for this rule Details The timeframe in this rule is valid.
actor		ConsentProvisionActor[]	Who|what controlled by this rule (or group, by role) Details Who or what is controlled by this rule. Use group to identify a set of actors by some property they share (e.g. 'admitting officers').
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
role	✓	CodeableConcept	How the actor is involved Details How the individual is involved in the resources content that is described in the exception.
reference	✓	Reference< Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole >	Resource for the actor (or group, by role) Details The resource that identifies the actor. To identify actors by type, use group to identify a set of actors by some property they share (e.g. 'admitting officers').
action		CodeableConcept[]	Actions controlled by this rule Details Actions controlled by this Rule. Note that this is the direct action (not the grounds for the action covered in the purpose element). At present, the only action in the understood and tested scope of this resource is 'read'.
securityLabel		Coding[]	Security Labels that define affected resources Details A security label, comprised of 0..* security label fields (Privacy tags), which define which resources are controlled by this exception. If the consent specifies a security label of "R" then it applies to all resources that are labeled "R" or lower. E.g. for Confidentiality, it's a high water mark. For other kinds of security labels, subsumption logic applies. When the purpose of use tag is on the data, access request purpose of use shall not conflict.
purpose		Coding[]	Context of activities covered by this rule Details The context of the activities a user is taking - why the user is accessing the data - that are controlled by this rule. When the purpose of use tag is on the data, access request purpose of use shall not conflict.
class		Coding[]	e.g. Resource Type, Profile, CDA, etc. Details The class of information covered by this rule. The type can be a FHIR resource type, a profile on a type, or a CDA document, or some other type that indicates what sort of information the consent relates to. Multiple types are or'ed together. The intention of the contentType element is that the codes refer to profiles or document types defined in a standard or an implementation guide somewhere.
code		CodeableConcept[]	e.g. LOINC or SNOMED CT code, etc. in the content Details If this code is found in an instance, then the rule applies. Typical use of this is a Document code with class = CDA.
dataPeriod		Period	Timeframe for data controlled by this rule Details Clinical or Operational Relevant period of time that bounds the data controlled by this rule. This has a different sense to the Consent.period - that is when the consent agreement holds. This is the time period of the data that is controlled by the agreement.
data		ConsentProvisionData[]	Data controlled by this rule Details The resources controlled by this rule if specific resources are referenced.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
meaning	✓	code	instance | related | dependents | authoredby Details How the resource reference is interpreted when testing consent restrictions.
reference	✓	Reference<Resource>	The actual data reference Details A reference to a specific resource that defines which resources are covered by this consent.
provision		[]	Nested Exception Rules Details Rules which provide exceptions to the base rule or subrules.

Search Parameters

Name	Type	Description	Expression
date	date	When this Consent was created or indexed	Consent.dateTime
identifier	token	Identifier for this record (external references)	Consent.identifier
patient	reference	Who the consent applies to	Consent.patient
action	token	Actions controlled by this rule	Consent.provision.action
actor	reference	Resource for the actor (or group, by role)	Consent.provision.actor.reference
category	token	Classification of the consent statement - for indexing/retrieval	Consent.category
consentor	reference	Who is agreeing to the policy and rules	Consent.performer
data	reference	The actual data reference	Consent.provision.data.reference
organization	reference	Custodian of the consent	Consent.organization
period	date	Timeframe for this rule	Consent.provision.period
purpose	token	Context of activities covered by this rule	Consent.provision.purpose
scope	token	Which of the four areas this resource covers (extensible)	Consent.scope
security-label	token	Security Labels that define affected resources	Consent.provision.securityLabel
source-reference	reference	Search by reference to a Consent, DocumentReference, Contract or QuestionnaireResponse	Consent.source
status	token	draft | proposed | active | rejected | inactive | entered-in-error	Consent.status

Inherited Elements

Name	Required	Type	Description
id		string	Logical id of this artifact Details The logical id of the resource, as used in the URL for the resource. Once assigned, this value never changes. The only time that a resource does not have an id is when it is being submitted to the server using a create operation.
meta		Meta	Metadata about the resource Details The metadata about the resource. This is content that is maintained by the infrastructure. Changes to the content might not always be associated with version changes to the resource.
implicitRules		uri	A set of rules under which this content was created Details A reference to a set of rules that were followed when the resource was constructed, and which must be understood when processing the content. Often, this is a reference to an implementation guide that defines the special rules along with other profiles etc. Asserting this rule set restricts the content to be only understood by a limited set of trading partners. This inherently limits the usefulness of the data in the long term. However, the existing health eco-system is highly fractured, and not yet ready to define, collect, and exchange data in a generally computable sense. Wherever possible, implementers and/or specification writers should avoid using this element. Often, when used, the URL is a reference to an implementation guide that defines these special rules as part of it's narrative along with other profiles, value sets, etc.
language		code	Language of the resource content Details The base language in which the resource is written. Language is provided to support indexing and accessibility (typically, services such as text to speech use the language tag). The html language tag in the narrative applies to the narrative. The language tag on the resource may be used to specify the language of other presentations generated from the data in the resource. Not all the content has to be in the base language. The Resource.language should not be assumed to apply to the narrative automatically. If a language is specified, it should it also be specified on the div element in the html (see rules in HTML5 for information about the relationship between xml:lang and the html lang attribute).
text		Narrative	Text summary of the resource, for human interpretation Details A human-readable narrative that contains a summary of the resource and can be used to represent the content of the resource to a human. The narrative need not encode all the structured data, but is required to contain sufficient detail to make it "clinically safe" for a human to just read the narrative. Resource definitions may define what content should be represented in the narrative to ensure clinical safety. Contained resources do not have narrative. Resources that are not contained SHOULD have a narrative. In some cases, a resource may only have text with little or no additional discrete data (as long as all minOccurs=1 elements are satisfied). This may be necessary for data from legacy systems where information is captured as a "text blob" or where text is additionally entered raw or narrated and encoded information is added later.
contained		Resource[]	Contained, inline Resources Details These resources do not have an independent existence apart from the resource that contains them - they cannot be identified independently, and nor can they have their own independent transaction scope. This should never be done when the content can be identified properly, as once identification is lost, it is extremely difficult (and context dependent) to restore it again. Contained resources may have profiles and tags In their meta elements, but SHALL NOT have security labels.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the resource. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored Details May be used to represent additional information that is not part of the basic definition of the resource and that modifies the understanding of the element that contains it and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer is allowed to define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.

Usage

The purpose of this Resource is to be used to express a Consent regarding Healthcare. There are four anticipated uses for the Consent Resource, all of which are written or verbal agreements by a healthcare consumer [grantor] or a personal representative, made to an authorized entity [grantee] concerning authorized or restricted actions with any limitations on purpose of use, and handling instructions to which the authorized entity must comply:

• Privacy Consent Directive: Agreement to collect, access, use or disclose (share) information.
• Medical Treatment Consent Directive: Consent to undergo a specific treatment (or record of refusal to consent).
• Research Consent Directive: Consent to participate in research protocol and information sharing required.
• Advance Care Directives: Consent to instructions for potentially needed medical treatment (e.g. DNR).

This resource is scoped to cover all four uses, but at this time, only the privacy use case is modeled. The scope of the resource may change when the other possible scopes are investigated, tested, or profiled.

A FHIR Consent Directive instance is considered the encoded legally binding Consent Directive if it meets requirements of a policy domain requirements for an enforceable contract. In some domains, electronic signatures of one or both of the parties to the content of an encoded representation of a Consent Form is deemed to constitute a legally binding Consent Directive. Some domains accept a notary’s electronic signature over the wet or electronic signature of a party to the Consent Directive as the additional identity proofing required to make an encoded Consent Directive legally binding. Other domains may only accept a wet signature or might not require the parties’ signatures at all.

Whatever the criteria are for making an encoded FHIR Consent Directive legally binding, anything less than a legally binding representation of a Consent Directive must be identified as such, i.e., as a derivative of the legally binding Consent Directive, which has specific usage in Consent Directive workflow management.

Definitions:

Consent	The record of a healthcare consumer’s policy choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time
Consent Directive	The legal record of a healthcare consumer's agreement with a party responsible for enforcing the consumer’s choices, which permits or denies identified actors or roles to perform actions affecting the consumer within a given context for specific purposes and periods of time
Consent Form	Human readable consent content describing one or more actions impacting the grantor for which the grantee would be authorized or prohibited from performing. It includes the terms, rules, and conditions pertaining to the authorization or restrictions, such as effective time, applicability or scope, purposes of use, obligations and prohibitions to which the grantee must comply. Once a Consent Form is “executed” by means required by policy, such as verbal agreement, wet signature, or electronic/digital signature, it becomes a legally binding Consent Directive.
Consent Directive Derivative	Consent Content that conveys the minimal set of information needed to manage Consent Directive workflow, including providing Consent Directive content sufficient to: Represent a Consent Directive Register or index a Consent Directive Query and respond about a Consent Directive Retrieve a Consent Directive Notify authorized entities about Consent Directive status changes Determine entities authorized to collect, access, use or disclose information about the Consent Directive or about the information governed by the Consent Directive. Derived Consent content includes the Security Labels encoding the applicable privacy and security policies. Consent Security Labels inform recipients about specific access control measures required for compliance.
Consent Statement	A Consent Directive derivative has less than full fidelity to the legally binding Consent Directive from which it was "transcribed". It provides recipients with the full content representation they may require for compliance purposes, and typically include a reference to or an attached unstructured representation for recipients needing an exact copy of the legal agreement.
Consent Registration	The legal record of a healthcare consumer's agreement with a party responsible for enforcing the consumer’s choices, which permits or denies identified actors or roles to perform actions affecting the consumer within a given context for specific purposes and periods of timeA Consent Directive derivative that conveys the minimal set of information needed to register an active and revoked Consent Directive, or to update Consent status as it changes during its lifecycle.
Consent Query/Response Types	The FHIR Consent Resource specifies multiple Consent Search parameters, which support many types of queries for Consent Resource content. There are several Query/Response patterns that are typically used for obtaining information about consent directive content for the following use cases: Find Active Consent Directive: A query that includes sufficient consent directive content to determine whether a specific party is authorized to share information governed by a consent directive with another specific party. The Response is either: “Yes” meaning that both parties are authorized to share the information with one another. “No” meaning that the authorized querier is not permitted to share with another specific party “No information found” meaning that there is no active Consent Directive in which the querier is authorized to share the governed information. Find Consent Directive Authorized Entities: A query that includes sufficient consent directive content to return a list of entities with which the querier is authorized to share governed information. The response to an authorized querier is the list of any authorized entities with which the querier is permitted to share governed information. The response to an unauthorized querier is that “no information is found”. Find Consent Directive(s): A query that includes sufficient consent directive content to return a list of Consent Directive metadata for an authorized querier to determine what Consent Directives are available, and to locate and retrieve one or more of those Consent Directives as needed.
Policy context	Any organizational or jurisdictional policies, which may limit the consumer’s policy choices, and which includes the named range of actions allowed
Healthcare Consumer	The individual establishing his/her personal consent (i.e. Consenter). In FHIR, this is referred to as the 'Patient' though this word is not used across all contexts of care

Privacy Consent Directive (PCD)

Privacy policies define how Individually Identifiable Health Information (IIHI) is to be collected, accessed, used and disclosed. A Privacy Consent Directive as a legal record of a patient's (e.g. a healthcare consumer) agreement with a party responsible for enforcing the patient's choices, which permits or denies identified actors or roles to perform actions affecting the patient within a given context for specific purposes and periods of time. All consent directives have a policy context, which is any set of organizational or jurisdictional policies which may limit the consumer’s policy choices, and which include a named range of actions allowed. In addition, Privacy Consent Directives provide the ability for a healthcare consumer to delegate authority to a Substitute Decision Maker who may act on behalf of that individual. Alternatively, a consumer may author/publish their privacy preferences as a self-declared Privacy Consent Directive.

The Consent resource on FHIR provides support for alternative representations for expressing interoperable health information privacy consent directives in a standard form for the exchange and enforcement by sending, intermediating, or receiving systems of privacy policies that can be enforced by consuming systems (e.g., scanned documents, of computable structured entries elements, FHIR structures with optional attached, or referenced unstructured representations.) It may be used to represent the Privacy Consent Directive itself, a Consent Statement, which electronically represents a Consent Directive, or Consent Metadata, which is the minimum necessary consent content derived from a Consent Directive for use in workflow management.

Relationships

Consent management - particularly privacy consent - is complicated by the fact that consent to share is often itself necessary to protect. The need to protect the privacy of the privacy statement itself competes with the execution of the consent statement. For this reason, it is common to deal with 'consent statements' that are only partial representations of the full consent statement that the patient provided.

For this reason, the consent resource contains two elements that refer back to the source: a master identifier, and a direct reference to content from which this Consent Statement was derived. That reference can be one of several things:

• A reference to another consent resource from which this limited statement was derived
• A reference to a document format for the original source (e.g. PDF or CDA - see the HL7 CDAR2 ConsentDirective Implementation Guide , which incorporated the IHE Basic Patient Privacy Consents (BPPC) ), either directly, or in a reference
• The source can be included in the consent as an attachment

The consent statements represent a chain that refers back to the original source consent directive. Applications may be able to follow the chain back to the source but should not generally assume that they are authorized to do this.

Consent Directives are executed by verbal acknowledge or by being signed - either on paper, or digitally. Consent Signatures will be found in the Provenance resource (example consent and signature). Implementation Guides will generally make rules about what signatures are required, and how they are to be shared and used.

Background and Context

Change to "The Consent resource is structured with a base policy (represented as Consent.policy/Consent.policyRule) which is either opt-in or opt-out, followed by a listing of exceptions to that policy (represented as Consent.provision(s)). The exceptions can be additional positive or negative exceptions upon the base policy. The set of exceptions include a list of data objects, list of authors, list of recipients, list of Organizations, list of purposeOfUse, and Date Range.

The enforcement of the Privacy Consent Directive is not included but is expected that enforcement can be done using a mix of the various Access Control enforcement methodologies (e.g. OAuth, UMA, XACML). This enforcement includes the details of the enforcement meaning of the elements of the Privacy Consent Directive, such as the rules in place when there is an opt-in consent would be specific about which organizational roles have access to what kinds of resources (e.g. RBAC, ABAC). The specification of these details is not in scope for the Consent resource.

Referenced By

• ResearchSubject