Contract — The healthcare legal agreement
Informed consent, sharing authorization, advance directive, patient-provider contract: Contract is the pivot resource for healthcare legal agreements, aligned with GDPR and HIPAA.
Purpose
Contract is the generic resource for any legal agreement relevant to healthcare: Privacy Consent Directive (HIPAA Authorization, GDPR Article 6 or 9), patient-facility service contract, AI licence contract, employer-payer contract, representation mandate, advance directive.
Contract is broader than Consent. Consent is specific to patient consent directives; Contract covers any agreement, including B2B agreements between organisations.
Key fields
| Field | Type | Cardinality | Role |
|---|---|---|---|
identifier | Identifier[] | 0..* | External identifiers. |
url | uri | 0..1 | Canonical URL. |
version | string | 0..1 | Version. |
status | code | 0..1 | amended | appended | cancelled | disputed | entered-in-error | executable | executed | negotiable | offered | policy | rejected | renewed | revoked | resolved | terminated. |
legalState | CodeableConcept | 0..1 | Legal state. |
instantiatesCanonical | Reference(Contract) | 0..1 | Canonical template instantiated. |
issued | dateTime | 0..1 | Issue date. |
applies | Period | 0..1 | Validity period. |
expirationType | CodeableConcept | 0..1 | Expiration cause. |
subject | Reference(Any)[] | 0..* | Subject (typically Patient). |
authority | Reference(Organization)[] | 0..* | Authority (regulator, employer...). |
type | CodeableConcept | 0..1 | Type (consent, policy, treatment...). |
subType | CodeableConcept[] | 0..* | Subtype. |
title | string | 0..1 | Human-readable title. |
term | BackboneElement[] | 0..* | Contractual clauses (recursive). |
term.offer | BackboneElement | 1..1 | Contract offer (proposal, expected decision). |
term.asset | BackboneElement[] | 0..* | Assets at stake (data, goods, services). |
term.action | BackboneElement[] | 0..* | Required or permitted actions. |
signer | BackboneElement[] | 0..* | Signers. |
signer.signature | Signature[] | 1..* | Digital signature(s). |
friendly | BackboneElement[] | 0..* | Human-readable version (PDF, narrative). |
legal | BackboneElement[] | 0..* | Legally binding version. |
rule | BackboneElement[] | 0..* | Executable rules (CQL, rules engine). |
legallyBinding[x] | Attachment | Reference | 0..1 | Reference to legally binding version. |
JSON example
Privacy Consent Directive opt-out: the patient withdraws data-sharing consent toward a specific clinic, valid 1 year, digitally signed:
{
"resourceType": "Contract",
"id": "pcd-example-notOrg",
"url": "http://example.org/Contract/pcd-example",
"version": "1",
"status": "executed",
"issued": "2026-05-14T10:00:00+02:00",
"applies": {
"start": "2026-05-14T10:00:00+02:00",
"end": "2027-05-14T10:00:00+02:00"
},
"subject": [{ "reference": "Patient/example" }],
"authority": [{ "reference": "Organization/hl7-pa" }],
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/contract-type",
"code": "consent",
"display": "Consent"
}]
},
"subType": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/contractsubtypecodes",
"code": "DDR",
"display": "Data Disclosure"
}]
}],
"title": "Privacy Consent Directive",
"subtitle": "Excluding the ABC Health Care Clinic from data exchange",
"alias": ["HIPAA Authorization"],
"term": [{
"issued": "2026-05-14T10:00:00+02:00",
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/contracttermtypecodes",
"code": "statutory"
}]
},
"offer": {
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/contracttermsubtypecodes",
"code": "smart-contract"
}]
},
"decision": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActConsentDirective",
"code": "OPTOUT"
}]
}
},
"action": [{
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/contractaction",
"code": "action-a"
}]
},
"intent": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "HPRGRP"
}]
},
"status": { "coding": [{ "code": "completed" }] }
}]
}],
"signer": [{
"type": {
"system": "http://terminology.hl7.org/CodeSystem/contractsignertypecodes",
"code": "CONSENTER"
},
"party": { "reference": "Patient/example" },
"signature": [{
"type": [{ "system": "urn:iso-astm:E1762-95:2013", "code": "1.2.840.10065.1.12.1.7" }],
"when": "2026-05-14T10:00:00+02:00",
"who": { "reference": "Patient/example" },
"sigFormat": "application/signature+xml",
"data": "Li4u"
}]
}]
} Common pitfalls
- Contract without
signer— astatus=executedcontract without signers is not enforceable. - Confusing Contract / Consent — for a simple patient consent, prefer
Consent. Contract is more complex and generic. - No
appliesPeriod — without a validity period, contract duration is indeterminate. - Non-detached signature — for a HIPAA Authorization, a detached XML-DSig or JWS signature is the state of the art.
- Conflicting terms — multiple conflicting
terms without hierarchicalterm.linkIdmake evaluation ambiguous.
Related resources
- Consent — simplified version for patient consents.
- Provenance — who created/signed the contract.
- AuditEvent — access to the contract.
- DocumentReference — PDF copy of the signed contract.