FHIR Chat · FHIR Consent Resource · Consent Decision and Management Services

Stream: Consent Decision and Management Services

Topic: FHIR Consent Resource

view this post on Zulip Kalyani Yerra (May 27 2021 at 07:37):

Is the intent of consent.provision.data to capture the data domains(immunizations ) that a user gave consent to share or deny?

view this post on Zulip John Moehrke (May 27 2021 at 09:40):

The .data element is expected to be used when there are explicit instances that need to be explicitly permitted or denied. The .meaning allows you to indicate that the scope is just that instance, any other instances that are related, any other instances that point at this instance, or any data authored by this instance. So for example one could point at an encounter and indicate that the scope (meaning) is dependent. That would be a way to Permit or Deny access to everything relevant to that encounter.
This presumes that the access control decision engine supports this very advanced concept.

view this post on Zulip Kalyani Yerra (May 27 2021 at 15:26):

John Moehrke said:

The .data element is expected to be used when there are explicit instances that need to be explicitly permitted or denied. The .meaning allows you to indicate that the scope is just that instance, any other instances that are related, any other instances that point at this instance, or any data authored by this instance. So for example one could point at an encounter and indicate that the scope (meaning) is dependent. That would be a way to Permit or Deny access to everything relevant to that encounter.
This presumes that the access control decision engine supports this very advanced concept.

Thank you @John Moehrke for your detailed explanation. Let's say A patient consents App2 to use their lab data from App1, but not any other clinical data that exists in App1, How is this consent captured in the FHIR consent resource.

view this post on Zulip John Moehrke (May 27 2021 at 15:46):

not enough information about the policies covering data persistence and lifecycle management or the data profiling. FHIR Core is just an interoperability specification, not a systems design.

view this post on Zulip John Moehrke (May 27 2021 at 15:47):

One could imagine a setup where all data created by App1 has an author indicating the device of App1. Thus one could use that device as the linkage. This would also be highly reliant on policies refusing to allow updates of the data to remove this device authorship. And would be relying on access control infrastructure that can handle this complex of a rule.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -