Developer documentation‎ > ‎FHIR API‎ > ‎Roadmap‎ > ‎


This is a draft document. Please be aware that the contents are subject to change.

FHIR Consent Resource


PKB restricts access to data based on 4 privacy labels. A patient grants an actor permission to access 0 or more of those privacy labels.

The Consent resource represents which privacy labels the patient has permitted a specific actor to access. The privacy labels themselves are represented as a security label, taken from the same set of security labels that will be returned in

Note: Consent resources are themselves subject to consent filtering. As such, if a patient has a Consent resource for an Organization that the caller does not have consent to know about (i.e. the Organization has been tagged with a privacy label that has not been granted to the caller) then that Organization's consent will be silently omitted from the result set.

See also: FHIR API Resources#Resource&Metadata

See also: $purview

Relevant Entities

  • [[Consent Record]]


Protection CategoryInteractionHTTPURLSupported Search ParamsPermitted User TypesDescriptionExamples
Non ClinicalsearchGET/Consent?patient=Patient/<id>
  • patient (mandatory)
  • Patient
  • Professional
Retrieve the consents granted by the specified patient.  


Resource id[[Consent Record.Public ID]] 
If [[Consent Record.Discharged]] is FALSE: "active"
Else: "inactive"
Consent.patientA Reference to the [[Patient]] should be returned.
  • Reference.reference = the relative URL of the Patient resource
  • Reference.display = [[User.Title]] [[User.Given Name]] [[User.Family Name]]
Consent.actorWho the consent has been granted to.
  • BackboneElement.role
    • CodeableConcept
      • Coding[0] 
        • code = "CONSENTER"
        • system = ""
  • BackboneElement.reference
    • Reference.reference = <conditional>
      • If consent has been granted to a [[Team]]: the relative URL of the Organization (representing the Team)
      • Else if consent has been granted to an Individual [[Professional]]: the relative URL of the Practitioner
      • Else if consent has been granted to a [[Patient]]: a reference to a contained RelatedPerson instance
        • (see RelatedPerson mappings)
    • Reference.display = <conditional>
      • If consent has been granted to a [[Team]]: [[Team.Name]]
      • Else if consent has been granted to an Individual [[Professional]]: [[User.Title]] [[User.Given Name]] [[User.Family Name]]
      • Else if consent has been granted to a [[Patient]]: [[User.Title]] [[User.Given Name]] [[User.Family Name]]

Consent.exceptFor each privacy label the actor has been granted consent for, an "except" element should be returned.
  • BackboneElement.type = "permit"
  • BackboneElement.securityLabel = as per metadata 
The idea here is that the overall Consent resource represents a "policy". The PKB policy for consent is "opt-in" in the sense that the patient specifies what someone can see, rather than what they cannot see. So this Consent resource means the actor cannot see anything, except the entries in the "except" list.

Note - we need one except entry for each privacy label because the FHIR specs state that if multiple security labels are included in one list, then the corresponding data needs to have all those labels, but PKB operates a single-label policy.

See also: FHIR API Resources#Resource&Metadata