Stream: implementers
Topic: Privacy Consent
John Moehrke (Apr 13 2016 at 14:35):
I would like real-world Privacy Consent use-cases that I can work into the Privacy Consent Directive IG. Please submit them here.
Drew Torres (Apr 13 2016 at 18:52):
Have you thought about the the authorized representitive use-case? I think we spoke about this briefly at the WGM in January. Patient facing applications will need the ability to understand who is accessing data, and the app will need to understand what data that person can see.
Drew Torres (Apr 13 2016 at 18:59):
An example use-case is a child going to a children's hospital doesn't grant consent. The parent will be his authorized representitive to view patient health information. So in a patient portal or an application the parent would be able to view data because they are authorized to do so. The authorization, or contract as we have modeled it in FHIR, would expire, while the relationship will always exist.
John Moehrke (Apr 13 2016 at 20:25):
I think the model supports this... but that is why I want challanges that I must prove, so let me toy with this.
Aaron Seib (Apr 17 2016 at 19:35):
John - a related challenge that I have encountered in the State Agencies is the case of Foster Children where the legal guardian may be people in a number of roles including Social Workers; Faster Parents and even the Court Judge. The variance between this and a traditional parent role being that in biological families your dad is pretty much your dad for your lifetime while in the case of Foster Children the person in the legal guardian role can change relatively frequently for Foster Children (or similar types of individuals that are effectively wards of the state). I have no experience regarding the role of the prison system in regards to prisoners but presume that an incarcerates person's rights may be restrained and wouldn't be surpirsed if it changed from state to state or type of sentence or some other attributes.
John Moehrke (Apr 18 2016 at 19:23):
Hi @Andrew Torres I finally have a model of your authorized representative use-case.
John Moehrke (Apr 18 2016 at 19:23):
Here is the authorized representative use-case that I modeled. http://healthcaresecprivacy.blogspot.com/2016/04/consent-given-to-authorized.html
John Moehrke (Apr 18 2016 at 19:27):
@Aaron Seib I think I would handle that simply through the fact that the data is living. Meaning when a role changes, the data changes to reflect that new role. Or when authorization changes, the record changes to indicate the change of authorization. So for example if there was not an expiration, but circumstances call for a change of the authorized representative; then I would deprecate (we don't yet have a state in Contract, but have discussed it), and record a new Contract (Consent). (In XDS this is done simply by replacing the former with a new consent, where the replace operator logically deprecates).
Drew Torres (Apr 18 2016 at 20:00):
@John Moehrke That is awesome. Is there somewhere I can take a look? There were some questions we had around some of the valuesets for type, subtype, and action on the contract resource.
Drew Torres (Apr 18 2016 at 20:00):
@John Moehrke Just saw the url I will take a look and comment.
Last updated: Apr 12 2022 at 19:14 UTC
