Stream: implementers
Topic: Consent Implementations
David Pyke (Jan 15 2020 at 18:40):
As part of our desire to move Consent up the FMM levels, we are interested in finding out who has implemented the Consent resource. If you have an implementation in the real world (i.e., not just testing). Please add it to this page: https://confluence.hl7.org/display/CBCP/Consent+Implementations. If you have difficulty getting to the page, please reply here with the following:
Country:
Organization:
FHIR Version:
Implementation Date:
Link (if Public):
David Pyke (Jan 24 2020 at 18:21):
Just bringing this back into focus. We need your help!
Mikael Rinnetmäki (Jan 29 2020 at 06:23):
I understand you're looking for real world production use. Are you in any way interested in pre-production / testing cases also?
Elise Myers (Mar 24 2020 at 02:06):
I have a use case for practitioners to consent to different levels of information sharing. I thought the Consent resource would be an obvious choice, but the Consent.subject can't be Practitioner or Person (which I would actually prefer to use so that I can de-identify the practitioner). Any suggestions for another resource to use or a way to extend Consent for my use?
Lloyd McKenzie (Mar 24 2020 at 02:19):
Nothing is allowed to point to Person - Person is only a linking resource. It's not permitted to be the target of relationships. It does indeed seem odd that Practitioners can't consent. @David Pyke ?
David Pyke (Mar 24 2020 at 02:29):
Nobody has brought to us a use case like that. We did remove the constraint requiring a patient of it's not one of the base scopes.
If you use a custom scope, then it would be possible to find a way to handle your use case.
Unfortunately, we're beginning the process to reschedule the Consent call so until we have a new time, I would need you to open a jira ticket with details we could discuss.
Jose Costa Teixeira (Mar 24 2020 at 06:12):
If a practitioner is affirming the permission to share data about a patient, this sounds like the case I'd want for Permission.
John Moehrke (Mar 24 2020 at 13:05):
This sounds like a use-case for the newly drafted Permission resource. It is just in first draft, so we have not tested it against many use-cases Can you describe your use-case well enough for us to do use-case analysis? What are the elements of your need?
Elise Myers (Mar 24 2020 at 15:19):
I don't mean for a Practitioner to give permission for a Patient's data to be shared. I mean a Practitioner consenting to their own data being shared (ex. tracking their de-identified location for research purposes vs. tracking their identifiable location to share with care team members).
Jose Costa Teixeira (Mar 24 2020 at 15:38):
ah that is indeed a job for Consent.
John Moehrke (Mar 24 2020 at 15:58):
I still think it is a Permission. They are giving Permission for their own data... the Permission is designed to not be specifically limited. Indeed when we get more mature the Permission might totally replace the Consent.provision elements. If you need to have some record of the paper ceremony of the agreement, then link to/from a DocumentReference that has appropriate metadata about that scanned paper.
Lloyd McKenzie (Mar 24 2020 at 16:03):
I don't understand why a Practitioner allowing their data to be used would be one resource and a Patient doing the same would be a different one. As I understand it, Consent is a record of the granting of a Permission.
Jose Costa Teixeira (Mar 24 2020 at 16:08):
Well, I can relate to that (John's statement).
Conceptually this seems an expression of Permission (what can you share, with whom, for what) that is supported by a Consent as evidence (a signed paper).
Jose Costa Teixeira (Mar 24 2020 at 16:14):
I should have been clearer: This would use Consent. Perhaps still using Permission as a wrapper, but there is an explicit consent
John Moehrke (Mar 24 2020 at 16:27):
Lloyd McKenzie said:
I don't understand why a Practitioner allowing their data to be used would be one resource and a Patient doing the same would be a different one. As I understand it, Consent is a record of the granting of a Permission.
my statement is more a statement of the reality of the current model. The Consent.subject can be left off, this was demanded by the Provider Directory use-case to enable a Permission like function that is not Patient-Privacy-Consent... There has been no actual use of Consent.subject being empty for this kind of a use-case, so not clear it worked well. My statement is more a pointer to the new model using Permission so that we can move beyond.
Jose Costa Teixeira (Mar 24 2020 at 16:39):
Jose Costa Teixeira (Mar 24 2020 at 16:39):
quite ugly
David Pyke (Mar 24 2020 at 18:25):
AGain, it would be possible to add Practitioner to the Consent.subject to fit this use case, it would also allow for Consent for provider registries to be incorporated. I think this is a good idea, over all.
Elise Myers (Mar 24 2020 at 18:42):
Is there any reason Practitioner can't be added to Consent.subject? That would be the simplest solution for me, personally.
Lloyd McKenzie (Mar 24 2020 at 18:43):
I think David was just agreeing with that. Next step is for someone to submit a change request. For those needing the functionality prior to R5, you'll need to use an extension
Elise Myers (Mar 24 2020 at 20:52):
Great! I was just confirming that there were no downsides to this solution. Shall I submit a change request?
David Pyke (Mar 24 2020 at 21:12):
Yes please!
Elise Myers (Mar 25 2020 at 20:31):
done https://jira.hl7.org/browse/FHIR-26644
Aleksandra Pavlyshina (Jan 21 2021 at 22:50):
Hi All,
Could someone please advise, is it possible to create a Consent resource for a caregiver for a minor/for an adult consenting an organization to contact them, collect, store, and process their questionnaire responses if we don't have any information about a patient (the patient can be a child or adult)?
FHIR R4 Consent resource has the following rules:
- Rule: Either a Policy or PolicyRule
- Rule: IF Scope=privacy, there must be a patient
- Rule: IF Scope=research, there must be a patient
The questionnaire has the following question:
Are you applying as a patient or a caregiver?
- Patient
- Caregiver for a minor
- Caregiver for an adult
And at the end of the questionnaire, they need to accept Privacy Notice and Consent Authorisation.
Lloyd McKenzie (Jan 21 2021 at 23:54):
@David Pyke
David Pyke (Jan 22 2021 at 00:00):
In order to bypass the scope requirement for a patient, you will need to extend the scope value set. Only the default scopes require a patient
Aleksandra Pavlyshina (Jan 22 2021 at 14:41):
Hello David,
Actually, I tried to validate a FHIR R4 Consent resource with scope=research without patient element, and FHIR Validator did not return an error that patient is missing.
Looks like the constraint rule is not correct: patient.exists() or scope.coding.where(system='something' and code='research').exists().not(). Likely, the problem is in the system='something' piece.
Aleksandra Pavlyshina (Jan 22 2021 at 16:07):
How to represent such form in a FHIR compliant way? Would welcome any feedback.
I was thinking of gathering patient/caregiver responses to a QuestionnaireResponse resource without creation of Patient/RelatedPerson resources at first:
{
"resourceType": "QuestionnaireResponse",
"status": "completed",
"authored": "2021-01-22T16:03:11.985Z",
"item": [{
"linkId": "1",
"text": "I acknowledge that I am over 18 years of age, and I have read and understood the contents of this authorization.",
"answer": [{
"valueBoolean": true
}
]
}, {
"text": "I agree to be contacted, including by virtual meeting platforms, by AstraZeneca in relation to the Patient Partnership Program and other internal activities for the purpose of AstraZeneca learning more about patients’ perspectives and experiences as indicated in this website.",
"answer": [{
"valueBoolean": true
}
]
}, {
"text": "I agree to have my responses to this questionnaire collected, stored and processed by AstraZeneca for the purposes of considering me for one of AstraZeneca's patient programs and my participation in such as described in this notice.",
"answer": [{
"valueBoolean": true
}
]
}, {
"text": "I understand that as part of the Patient Partnership Program, I may be asked for permission to record and use my image and my voice. NB. We will always ask for your consent to record, store and/or use photography/video/audio recordings which includes you as an identifiable individual for each individual project that you may be asked to participate in.",
"answer": [{
"valueBoolean": true
}
]
}
]
}
David Pyke (Jan 22 2021 at 16:09):
As I said previously, you'll need to extend the Consent Scope Codes with your own code, declaring a new scope. That will allow you to create a Consent with no patient attached.
Aleksandra Pavlyshina (Jan 22 2021 at 16:12):
Then, I'd create a Consent resource and RelatedPerson, and reference the QuiestionnaireResponse in the Consent.sourceReference:
{
"resourceType": "Consent",
"id": "consent-for-caregiver",
"status": "active",
"scope": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/consentscope",
"code": "research",
"display": "Research"
}
]
},
"category": [{
"coding": [{
"system": "http://loinc.org",
"code": "57016-8",
"display": "Privacy policy acknowledgement Document"
}
]
}
],
"dateTime": "2016-05-11",
"performer": [{
"reference": "RelatedPerson/relPerson"
}
],
"organization": [{
"display": "AstraZeneca"
}
],
"sourceReference": {
"reference": "QuestionnaireResponse/questionnaireresponse1"
},
"policy": [{
"uri": "https://www.globalprivacy.astrazeneca.com"
}
],
"provision": {
"type": "permit",
"period": {
"start": "2021-01-22",
"end": "2022-01-22"
},
"actor": [{
"role": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ParticipationType",
"code": "CST",
"display": "custodian"
}
]
},
"reference": {
"display": "AstraZeneca"
}
}
],
"provision": [{
"type": "permit",
"action": [{
"text": "Contact, including by virtual meeting platforms, in relation to the Patient Partnership Program and other internal activities for the purpose of AstraZeneca learning more about patients’ perspectives and experiences as indicated in this website."
}
],
"purpose": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "HRESCH",
"display": "healthcare research"
}
]
}, {
"type": "permit",
"action": [{
"text": "To have my responses to this questionnaire collected, stored and processed by AstraZeneca for the purposes of considering me for one of AstraZeneca's patient programs and my participation in such as described in this notice."
}
],
"data": [{
"meaning": "instanse",
"reference": {
"reference": "#questionnaireresponse"
}
}
]
}, {
"type": "permit",
"action": [{
"text": "As part of the Patient Partnership Program, ask me for permission to record and use my image and my voice. NB. We will always ask for your consent to record, store and/or use photography/video/audio recordings which includes you as an identifiable individual for each individual project that you may be asked to participate in."
}
]
}
]
}
}
David Pyke (Jan 22 2021 at 16:12):
Correct
Aleksandra Pavlyshina (Jan 22 2021 at 16:14):
David, thank you much for your responses!
Ashish_N (Feb 18 2021 at 18:54):
Hi, I'm looking for suggestion where Patient provides permission to Practitioner so that Practitioner can view his health information. Is Consent resource can be helpful?
David Pyke (Feb 18 2021 at 18:54):
Yes, that is where it would be stored.
Ashish_N (Feb 18 2021 at 19:08):
Thanks David for quick response. Is there any sample implementation where I can look and try?
David Pyke (Feb 18 2021 at 19:10):
you can find the list of public test servers here: https://confluence.hl7.org/display/FHIR/Public+Test+Servers
Ashish_N (Feb 18 2021 at 19:14):
Thanks so much David.
Ashish_N (Feb 19 2021 at 09:11):
Hi All, I looked at the consent resource and wanted to understand how Consent resource helps in data access determination?
Let suppose Patient provides consent to specific Practitioner to view his medical data. In a RESTFul API call do we need to implement logic to check if requester is having consent to perform action on requested URL or something else?
David Pyke (Feb 19 2021 at 14:09):
You would need a back-end process that would check the request against the patient's Consent to see what information is allowed. The resource itself is really designed to pass consent information across systems
Ashish_N (Feb 20 2021 at 10:57):
Thanks David.
Dheeraj Kumar Pal (Dec 09 2021 at 12:37):
We are working on creating a central consent repository and push it to all our stakeholder in real-time and also allowing all our partner to query the central repository. Is there any implementation or profile created for Consent management ?
David Pyke (Dec 09 2021 at 13:44):
There is a LEAP Grant implementation. @Mohammad Jafari can you help?
Dheeraj Kumar Pal (Dec 10 2021 at 10:26):
Thank you David !! Hey @Mohammad Jafari .. Could you please help us with this?
Mohammad Jafari (Dec 16 2021 at 16:30):
Thanks Dheeraj. The ONC LEAP Consent Decision Service might be something you'd want to look into. It's an open source project on Github and there's an overview document about the architecture here: https://sdhealthconnect.github.io/leap/blog/2021/09/30/architecture.html
Doug Morand (Feb 08 2022 at 19:37):
I'm working with someone who provides Patient consent for various applications via an Order (HL7 transaction ORM^O01). Currently this results in a ServiceRequest, but what I'd like to do is also create a Consent resource when these types of orders are received.
Where should I model the designation for the consent (i.e. application1, application2, application4). My initial thought was to store the classification on Consent.provision.purpose with the applicable application (e.g. application1).
Lloyd McKenzie (Feb 08 2022 at 20:03):
Typically the app would be represented as consent.provision.actor - specifically a Device. If the consent is granting authority to an app or to the use of an app, that would the appropriate way to capture it. Purpose would be "for what reasons are you allowed to use the app?"
Doug Morand (Feb 08 2022 at 21:43):
Thanks Lloyd, actor makes sense! Is a Device resource typically how an application would be defined? I assumed Device was for medical devices vs. an application. In this context the Patient is providing Consent for another application (i.e. Patient portal type application) to access their data.
Lloyd McKenzie (Feb 08 2022 at 21:44):
Yes. Software applications are considered to be 'devices' in FHIR.
John Moehrke (Feb 08 2022 at 21:45):
I agree with Lloyd.. but the definition of the Device resource is rather clear it is about "manufactured item", which is a stretch for many to read that as software.
Lloyd McKenzie (Feb 08 2022 at 21:47):
I've just submitted FHIR#35984 to get it made explicit
John Moehrke (Feb 08 2022 at 21:48):
I was just about to submit my own ticket... thanks.
Doug Morand (Feb 08 2022 at 21:50):
Thank you, appreciate the help... and quick response!
Jaime Olivares (Feb 14 2022 at 03:29):
We use Consent at the Efferent Platform since 2018. I just published a new article about it: https://www.linkedin.com/pulse/applied-fhir-consent-jaime-olivares/
Last updated: Apr 12 2022 at 19:14 UTC
