Developer documentation‎ > ‎FHIR API‎ > ‎Roadmap‎ > ‎

Consent

This is a draft document. Please be aware that the contents are subject to change.

FHIR Consent Resource

https://www.hl7.org/fhir/consent.html

Overview

PKB restricts access to data based on 4 privacy labels. A patient grants an actor permission to access 0 or more of those privacy labels.

The Consent resource represents which privacy labels the patient has permitted a specific actor to access. The privacy labels themselves are represented as a security label, taken from the same set of security labels that will be returned in Meta.security.

Note: Consent resources are themselves subject to consent filtering. As such, if a patient has a Consent resource for an Organization that the caller does not have consent to know about (i.e. the Organization has been tagged with a privacy label that has not been granted to the caller) then that Organization's consent will be silently omitted from the result set.

See also: FHIR API Resources#Resource&Metadata

See also: $purview

Relevant Entities

Endpoints

Protection CategoryInteractionHTTPURLSupported Search ParamsPermitted User TypesDescriptionExamples
ConsentsearchGET/Consent
  • patient. Required. Multi-value support: none. Modifier support: [<type>].
  • Patient
  • Professional
Retrieve the consents granted by the specified patient. /Consent?patient=Patient/3d8afd18-0844-459a-b3c2-355d02e54c0a

Mappings

FHIRPKBNotes
Resource id[[Consent Record.Public ID]] 
Consent.status<conditional>
If [[Consent Record.Discharged]] is FALSE: "active"
Else: "inactive"
 
Consent.patientA Reference to the [[Patient]] should be returned.
  • patient: Reference
    • reference = the relative URL of the Patient resource
    • display = [[User.Title]] [[User.Given Name]] [[User.Family Name]]
 
Consent.actorWho the consent has been granted to.
  • actor: BackboneElement
    • role: CodeableConcept
      • coding[0]: Coding
        • code = "CONSENTER"
        • system = "http://hl7.org/fhir/v3/RoleCode"
    • reference: Reference
      • reference = <conditional>
        • If consent has been granted to a [[Team]]: the relative URL of the Organization (representing the Team)
        • Else if consent has been granted to an Individual [[Professional]]: the relative URL of the Practitioner
        • Else if consent has been granted to a [[Patient]]: a reference to a contained RelatedPerson instance (see RelatedPerson mappings)
      • display = <conditional>
        • If consent has been granted to a [[Team]]: [[Team.Name]]
        • Else if consent has been granted to an Individual [[Professional]]: [[User.Title]] [[User.Given Name]] [[User.Family Name]]
        • Else if consent has been granted to a [[Patient]]: [[User.Title]] [[User.Given Name]] [[User.Family Name]]

Consent.exceptFor each privacy label the actor has been granted consent for, an "except" element should be returned.
  • except: BackboneElement
    • type = "permit"
    • securityLabel = as per metadata
The idea here is that the overall Consent resource represents a "policy". The PKB policy for consent is "opt-in" in the sense that the patient specifies what someone can see, rather than what they cannot see. So this Consent resource means the actor cannot see anything, except the entries in the "except" list.

Note - we need one except entry for each privacy label because the FHIR specs state that if multiple security labels are included in one list, then the corresponding data needs to have all those labels, but PKB operates a single-label policy.

See also: FHIR API Resources#Resource&Metadata

Comments