Consent — detail: patient consent
Patient consent modelling for consultation, data sharing, research, advance directives. Compliant with GDPR article 7 (explicit revocable consent), HIPAA Privacy Rule, IHE BPPC (Basic Patient Privacy Consents). Granular provision with exceptions by diagnosis or usage type.
GDPR article 7 compliance
GDPR article 7 imposes 4 criteria for a valid consent:
- Freely given — without pressure (typically, conditioning care on consent = invalid).
- Specific — one consent per distinct purpose (FHIR
purpose+action). - Informed — accessible usage policy (FHIR
policyTextreference to a DocumentReference). - Unambiguous — positive and clear act (FHIR
decision: permit, never default opt-out).
Plus revocability: status: inactive or revoked must propagate in real-time to all DMP consumers.
Key fields
| Field | Cardinality | Role |
|---|---|---|
status | 1..1 | draft / active / inactive / not-done / entered-in-error / unknown. |
category | 1..* | Consent type (INFAO, IDSCL, TREAT, RESEARCH). |
subject | 0..1 | Concerned patient. |
date | 0..1 | Signature date. |
grantor | 0..* | Who consents (typically Patient or RelatedPerson). |
grantee | 0..* | To whom consent is granted (Organization, Practitioner). |
controller | 0..* | GDPR article 4 data controller. |
policyText | 0..1 | Referenced policy text. |
decision | 0..1 | permit / deny at root level. |
provision | 0..* | Granular rules (sub-section). |
Granular provision (deny vs permit)
The strength of FHIR Consent: nested provisions with decision opposite to root. Example: "I consent (permit) to share my medical record with my primary care physician, EXCEPT (deny) mental health diagnoses".
Each provision can filter on:
period— time window.actor— who can access (role or identifier).action— which action (access, correct, disclose).securityLabel— confidentiality level (N=normal, R=restricted, V=very restricted).purpose— purpose (TREAT, HRESCH, HOPERAT, ETREAT).code— diagnosis or data category (SNOMED CT codes).dataPeriod— data window (retroactive).
Example: DMP consent with mental health exception
{
"resourceType": "Consent",
"id": "consent-dmp-marie-887",
"status": "active",
"category": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/consentcategorycodes",
"code": "INFAO",
"display": "Information access"
}]
}],
"subject": { "reference": "Patient/marie-durand-887" },
"date": "2026-05-19",
"grantor": [{ "reference": "Patient/marie-durand-887" }],
"grantee": [{
"reference": "Organization/asip-dmp",
"display": "ANS - Mon Espace Sante"
}],
"controller": [{
"reference": "Organization/asip-dmp"
}],
"policyText": {
"reference": "DocumentReference/dmp-policy-v3"
},
"decision": "permit",
"provision": [{
"period": {
"start": "2026-05-19",
"end": "2031-05-19"
},
"actor": [{
"role": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ParticipationType",
"code": "AUT"
}]
},
"reference": { "reference": "PractitionerRole/primary-care-physician" }
}],
"action": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/consentaction",
"code": "access"
}]
}, {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/consentaction",
"code": "correct"
}]
}],
"securityLabel": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
"code": "N",
"display": "Normal"
}],
"purpose": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "TREAT"
}],
"dataPeriod": {
"start": "2010-01-01"
},
"provision": [{
"decision": "deny",
"code": [{
"coding": [{
"system": "http://snomed.info/sct",
"code": "47505003",
"display": "Post-traumatic stress disorder"
}]
}],
"purpose": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "HRESCH"
}]
}]
}]
} Common pitfalls
- Conflicting provisions — resolution rule: most specific provision wins. But the provider must implement a coherent policy decision point (PDP) (XACML-like).
- No validity period — a consent without
provision[].periodis eternal; GDPR requires reflection on duration. - Revocation not propagated — setting status=revoked without notification to Subscriptions creates orphan accesses.
- grantor ≠ subject — for minors or protected adults, grantor is the legal representative, subject is the patient. Frequent error.