ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

Contract — The healthcare legal agreement

Informed consent, sharing authorization, advance directive, patient-provider contract: Contract is the pivot resource for healthcare legal agreements, aligned with GDPR and HIPAA.

Purpose

Contract is the generic resource for any legal agreement relevant to healthcare: Privacy Consent Directive (HIPAA Authorization, GDPR Article 6 or 9), patient-facility service contract, AI licence contract, employer-payer contract, representation mandate, advance directive.

Contract is broader than Consent. Consent is specific to patient consent directives; Contract covers any agreement, including B2B agreements between organisations.

Key fields

FieldTypeCardinalityRole
identifierIdentifier[]0..*External identifiers.
urluri0..1Canonical URL.
versionstring0..1Version.
statuscode0..1amended | appended | cancelled | disputed | entered-in-error | executable | executed | negotiable | offered | policy | rejected | renewed | revoked | resolved | terminated.
legalStateCodeableConcept0..1Legal state.
instantiatesCanonicalReference(Contract)0..1Canonical template instantiated.
issueddateTime0..1Issue date.
appliesPeriod0..1Validity period.
expirationTypeCodeableConcept0..1Expiration cause.
subjectReference(Any)[]0..*Subject (typically Patient).
authorityReference(Organization)[]0..*Authority (regulator, employer...).
typeCodeableConcept0..1Type (consent, policy, treatment...).
subTypeCodeableConcept[]0..*Subtype.
titlestring0..1Human-readable title.
termBackboneElement[]0..*Contractual clauses (recursive).
term.offerBackboneElement1..1Contract offer (proposal, expected decision).
term.assetBackboneElement[]0..*Assets at stake (data, goods, services).
term.actionBackboneElement[]0..*Required or permitted actions.
signerBackboneElement[]0..*Signers.
signer.signatureSignature[]1..*Digital signature(s).
friendlyBackboneElement[]0..*Human-readable version (PDF, narrative).
legalBackboneElement[]0..*Legally binding version.
ruleBackboneElement[]0..*Executable rules (CQL, rules engine).
legallyBinding[x]Attachment | Reference0..1Reference to legally binding version.

JSON example

Privacy Consent Directive opt-out: the patient withdraws data-sharing consent toward a specific clinic, valid 1 year, digitally signed:

json contract-pcd-optout.json
{
  "resourceType": "Contract",
  "id": "pcd-example-notOrg",
  "url": "http://example.org/Contract/pcd-example",
  "version": "1",
  "status": "executed",
  "issued": "2026-05-14T10:00:00+02:00",
  "applies": {
    "start": "2026-05-14T10:00:00+02:00",
    "end": "2027-05-14T10:00:00+02:00"
  },
  "subject": [{ "reference": "Patient/example" }],
  "authority": [{ "reference": "Organization/hl7-pa" }],
  "type": {
    "coding": [{
      "system": "http://terminology.hl7.org/CodeSystem/contract-type",
      "code": "consent",
      "display": "Consent"
    }]
  },
  "subType": [{
    "coding": [{
      "system": "http://terminology.hl7.org/CodeSystem/contractsubtypecodes",
      "code": "DDR",
      "display": "Data Disclosure"
    }]
  }],
  "title": "Privacy Consent Directive",
  "subtitle": "Excluding the ABC Health Care Clinic from data exchange",
  "alias": ["HIPAA Authorization"],
  "term": [{
    "issued": "2026-05-14T10:00:00+02:00",
    "type": {
      "coding": [{
        "system": "http://terminology.hl7.org/CodeSystem/contracttermtypecodes",
        "code": "statutory"
      }]
    },
    "offer": {
      "type": {
        "coding": [{
          "system": "http://terminology.hl7.org/CodeSystem/contracttermsubtypecodes",
          "code": "smart-contract"
        }]
      },
      "decision": {
        "coding": [{
          "system": "http://terminology.hl7.org/CodeSystem/v3-ActConsentDirective",
          "code": "OPTOUT"
        }]
      }
    },
    "action": [{
      "type": {
        "coding": [{
          "system": "http://terminology.hl7.org/CodeSystem/contractaction",
          "code": "action-a"
        }]
      },
      "intent": {
        "coding": [{
          "system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
          "code": "HPRGRP"
        }]
      },
      "status": { "coding": [{ "code": "completed" }] }
    }]
  }],
  "signer": [{
    "type": {
      "system": "http://terminology.hl7.org/CodeSystem/contractsignertypecodes",
      "code": "CONSENTER"
    },
    "party": { "reference": "Patient/example" },
    "signature": [{
      "type": [{ "system": "urn:iso-astm:E1762-95:2013", "code": "1.2.840.10065.1.12.1.7" }],
      "when": "2026-05-14T10:00:00+02:00",
      "who": { "reference": "Patient/example" },
      "sigFormat": "application/signature+xml",
      "data": "Li4u"
    }]
  }]
}

Common pitfalls

  • Contract without signer — a status=executed contract without signers is not enforceable.
  • Confusing Contract / Consent — for a simple patient consent, prefer Consent. Contract is more complex and generic.
  • No applies Period — without a validity period, contract duration is indeterminate.
  • Non-detached signature — for a HIPAA Authorization, a detached XML-DSig or JWS signature is the state of the art.
  • Conflicting terms — multiple conflicting terms without hierarchical term.linkId make evaluation ambiguous.
  • Consent — simplified version for patient consents.
  • Provenance — who created/signed the contract.
  • AuditEvent — access to the contract.
  • DocumentReference — PDF copy of the signed contract.