Stream: Security and Privacy
Topic: Consent for Org A to disclose info to Org B
Josh Mandel (Feb 21 2020 at 19:42):
Is it possible to model via http://build.fhir.org/consent a permission like "Patient P authorizes Organization A to disclose health records to Organization B"? Where/how would the orgs be named?
David Pyke (Feb 21 2020 at 19:45):
Patient P would be the Consent.patient, Organization A would be the Consent.organziation, Org B would be Consent.Provision.actor.reference(Organization)
Mohammad Jafari (Feb 21 2020 at 19:55):
I'm curious if we can have a full resource content presented here because there are more questions like the value of policyRule and Provision.type
Josh Mandel (Feb 21 2020 at 20:22):
Org B would be Consent.Provision.actor.reference(Organization)
OK, so the role for that actor would be something like "Information Recipient"?
Josh Mandel (Feb 21 2020 at 20:23):
Yeah, having a complete example would be lovely. I'll add a request in Jira.
David Pyke (Feb 21 2020 at 21:14):
YEs, info recipient is the proper role
Josh Mandel (Feb 21 2020 at 21:34):
Added FHIR#26369
Jose Costa Teixeira (Feb 22 2020 at 00:29):
I'm still convinced that we should split the concepts. What is asked is (how I see it) "can we document a permission that is supported by a consent'
Jose Costa Teixeira (Feb 22 2020 at 00:31):
We started drafting Permission exactly for that purpose
Jose Costa Teixeira (Feb 22 2020 at 00:33):
I'm not trying to sell a resource, just that Consent could be stretched here, but what about "Law L authorizes Organization A to disclose health records to Organization B"? That is not Consent, and if we use Permission for this one and Consent for the other, we have a complicated implementation
Jose Costa Teixeira (Feb 22 2020 at 00:35):
What about the needed "Law L authorizes ... But only for the purpose of dispensing medications for the patient P"? (Consent must be specific)
Jose Costa Teixeira (Feb 22 2020 at 00:36):
I guess I'm experiencing Consent fatigue already ;)
Jose Costa Teixeira (Feb 22 2020 at 00:38):
Some of us are arguing that in healthcare, consent is not the key mechanism for enabling permission to share data.
Peter Jordan (Feb 22 2020 at 04:23):
Jose Costa Teixeira said:
Some of us are arguing that in healthcare, consent is not the key mechanism for enabling permission to share data.
I'm intrigued by that assertion - could you please expand on it? What is the key mechanism?
Jose Costa Teixeira (Feb 22 2020 at 04:34):
Yes. Assuming that Consent is an explicit assertion by patient or someone on their behalf to allow something ,
(which is pretty much how we define the Consent resource)
Jose Costa Teixeira (Feb 22 2020 at 04:34):
there is a lot of healthcare exchanges that are not consent-based.
Jose Costa Teixeira (Feb 22 2020 at 04:36):
When a pharmacy checks a prescription for dispensing, they do not need my consent.
Payers (mutualities, insurance) do not need consent to see my data - they must see my data in order to do their work.
Health authorities may see my data if there is a legal provision for them to do it
Jose Costa Teixeira (Feb 22 2020 at 04:37):
they have legal permission to do this. in GDPR these are the other 5 grounds for legal processing besides Consent
Jose Costa Teixeira (Feb 22 2020 at 04:40):
https://gdpr-info.eu/art-6-gdpr/
Jose Costa Teixeira (Feb 22 2020 at 04:43):
In addition to this, consent must be explicit, specific and free. So if you are asked to sign a bunch of consent papers, or just one consent paper that says "Please sign here and we can do whatever we want with your data", this is not really valid in the light of GDPR.
Jose Costa Teixeira (Feb 22 2020 at 04:44):
If the consent is specific, I would not say "I allow org A to share data with Org B" - I would say "I allow Org A to share the necessary data with Org B for purpose X"
Jose Costa Teixeira (Feb 22 2020 at 04:45):
And if Org B needs my data because they are the hospital where Org A is the ambulance that brought me, well, I really do not need to consent to that.
Peter Jordan (Feb 22 2020 at 04:48):
Outside the EU, the law varies from country to country... In NZ, the key document is currently the Health Information Privacy Code...https://www.privacy.org.nz/assets/Files/Codes-of-Practice-materials/Consolidated-HIPC-current-as-of-28-Sept-17.pdf
Key clause is...
No information that would enable the identification of an individual may be provided under this section unless—
(a) the individual consents to the provision of such information; or
(b) the identifying information is essential for the purposes for which the information is sought.
Salient point is that this is a highly-complex area, and it is very difficult to make global generalisations.
Jose Costa Teixeira (Feb 22 2020 at 04:49):
The "some of us" part - in the Germany WGM we had a session where we had Petra Wilson who is very knowledgeable on GDPR and privacy in healthcare. I had the above perspective from implementing GDPR and discussing with lawyers and the privacy autorities, and it was very good to hear Petra saying something like "given that consent must be explicit and specific, valid consent is likely not the legal basis that we need to worry most".
Jose Costa Teixeira (Feb 22 2020 at 04:51):
I agree with no generalisations - in fact, what I am resisting is the generalisation of using consent for everything. This is why I mention consent fatigue - we are really exaggerating in asking consent because we think this will cover our backs. In some cases it won't
Jose Costa Teixeira (Feb 22 2020 at 04:53):
yes, I expect that the NZ code will then explain that even under clause b), the purpose must be justifiable. (for example i had some marketing departments saying that they need the information to do their activities - and I replied that while that is true, some of their activities (profiling) may not be justifiable)
Jose Costa Teixeira (Feb 22 2020 at 04:55):
and it's not only information that "would enable the identification of an individual " - it will be also other detailed information that further describes details about the individual, such as their health data , criminal record, political affiliation, sexual orientation, or simply personal details
Jose Costa Teixeira (Feb 22 2020 at 04:57):
The point being - while we may have "Consent for Org A to disclose info to Org B" expressed as a consent if that is needed and valid, we will have many "Permissions for Org A to disclose some info to Org B for specific purposes"
Jose Costa Teixeira (Feb 22 2020 at 04:58):
I argue that Consent-based permission is just an instance of Permission. in fact, Consent resource contains just the evidence to that permission assertion.
Jose Costa Teixeira (Feb 22 2020 at 04:59):
While we do want to exchange the Consent as we need the evidence, I think we also need to exchange or expose the Permission.
Jose Costa Teixeira (Feb 22 2020 at 05:02):
Just for context, this is my current perspective from implementing GDPR (every data governance program eventually asks to add GDPR into the mix, and the confusion between Consent and Permission is always a pain).
Peter Jordan (Feb 23 2020 at 02:16):
Interesting. One way of viewing this is that Consent is a process and Permission an outcome of that process. Certainly you don't see the word 'permission' in many legal documents - such as the Article 6 GDPR quoted above. However, as @Jose Costa Teixeira points out, that Article illustrates that there are other ways to reach that outcome.
John Moehrke (Feb 24 2020 at 14:41):
Jose, we will head that direction soon. But Josh original request was explicitly Consent. So his case, and his thread, are satisfied as David indicated using Consent.
Jose Costa Teixeira (Feb 24 2020 at 18:53):
Ok
Last updated: Apr 12 2022 at 19:14 UTC
