Privacy Consent on FHIR (PCF)
1.1.0 - Trial-Implementation
This page is part of the Privacy Consent on FHIR (PCF) (v1.1.0: Publication) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version. For a full list of available versions, see the Directory of published versions
Resource Consent "ex-consent-advanced-normal-focused-psy-or-sdv"
Profile: IHE PCF Explicit Advanced Consent
Security Labels: http://terminology.hl7.org/CodeSystem/v3-ActReason
status: active
scope: Privacy Consent (Consent Scope Codes#patient-privacy)
category: Consent (LOINC#59284-0)
patient: Patient/ex-patient " SMITH"
dateTime: 2022-06-13
performer: Patient/ex-patient " SMITH"
organization: Organization/ex-organization "somewhere org"
source: DocumentReference/ex-documentreference
Uri |
http://example.org/policies/basePrivacyConsentPolicy.txt |
provision
type: permit
securityLabel: normal (Details: http://terminology.hl7.org/CodeSystem/v3-Confidentiality code N = 'normal', stated as 'null')
purpose: treatment (Details: http://terminology.hl7.org/CodeSystem/v3-ActReason code TREAT = 'treatment', stated as 'null'), healthcare payment (Details: http://terminology.hl7.org/CodeSystem/v3-ActReason code HPAYMT = 'healthcare payment', stated as 'null'), healthcare operations (Details: http://terminology.hl7.org/CodeSystem/v3-ActReason code HOPERAT = 'healthcare operations', stated as 'null')
provision
type: permit
actor
securityLabel: psychiatry disorder information sensitivity (Details: http://terminology.hl7.org/CodeSystem/v3-ActCode code PSY = 'psychiatry disorder information sensitivity', stated as 'null'), sexual assault, abuse, or domestic violence information sensitivity (Details: http://terminology.hl7.org/CodeSystem/v3-ActCode code SDV = 'sexual assault, abuse, or domestic violence information sensitivity', stated as 'null')
Provided an ITI-71 results in a PERMIT access token issued. That token would have the following residual element to inform the Consent Enforcement Point that it needs to restrict the results.
Given that the token will express the permit portion, the residual
would need to express the refinement. This case allows treatment access to normal data, and carves out mental health data and sexual health data as accessible only to Practitioner. The oAuth token would be expressing a general permit for most users to the given patient data. Possibly with scope restrictions based on other business rules, such as a subset of actions (CRUDE) and resources.
The token would need to include an ihe_pcf
extension to point at this consent, and that would include a residual
to express the refinement. Shown as followed:
For Users that are not Practitioner, the token result will be no different than consent to allow NORMAL data access.
For the User Practitioner, the token result will be:
ihe_iua
extension
ihe_iua
extension parameters are not shown below"extensions" : {
"ihe_iua" : {
...
"purpose_of_use" : [{
"system" : "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code" : "TREAT"
},{
"system" : "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code" : "HPAYMT"
},{
"system" : "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code" : "HOPERAT"
}]
}
"ihe_pcf" : {
"patient_id" : "http://example.org/fhir/Patient/ex-patient",
"doc_id" : ["http://example.org/fhir/Consent/ex-consent-intermediate-authoredby"],
"residual" : [
{
"type" : "forbid",
},{
"type" : "permit",
"securityLabel" : [{
"system" : "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
"code" : "N"
}]
},{
"type" : "permit",
"securityLabel" : [{
"system" : "http://terminology.hl7.org/CodeSystem/v3-ActCode",
"code" : "PSY"
},{
"system" : "http://terminology.hl7.org/CodeSystem/v3-ActCode",
"code" : "SDV"
}]
}
]
}
}