Privacy Consent on FHIR (PCF)
1.1.0 - Trial-Implementation International flag

Privacy Consent on FHIR (PCF), published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 1.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.PCF/ and changes regularly. See the Directory of published versions

3:5.8 Privacy Consent Patterns

The following are the FHIR Consent profiling for the PCF profile. The FHIR Consent fundamentals are explained in Appendix P.

3:5.8.1 Foundation Policies

The Foundation Consent Content Profile indicates the common constraints for all of PCF. There are no examples of this as there is no intended use of this profile.

3:5.8.2 Basic

Using Basic Consent Content Profile

Examples for this Resource Profile:

3:5.8.3 Intermediate

Using Intermediate Consent Content Profile

Examples for this Resource Profile:

3:5.8.3.1 Example of Intermediate by ID Search Set Bundle Processing

Given using Intermediate consent that identifies one Observation with id=1 not be shared. Like named set of data. The Consent Authorization Server would provide ITI-71 access token which is communicated to the Consent Enforcement Point. The Consent Enforcement Point would first allow the Search to happen, and the raw output from a FHIR search would include all observations including the forbidden Observation. That would look like:

Search Set Bundle before SLS taggingSearch Set BundleBundleObservation1Observation2Observation3Observation4Observation5BundleSearched for all Observations for given Patienttotal 5Observation1id=1Alcohol per day 5Observation2id=2Blood sugar 99Observation3id=3Blood Pressure 140/90Observation4id=4Weight 185 poundsObservation5id=5Weight 280 pounds
3:5.8.3.1-1 Figure: Search Set Bundle before enforcement


The Bundle would then be processed by the Consent Enforcement Point, which will remove any Observations with id=1. Thus the first entry would be removed and the total decremented. The result would look like the following and be what is returned by the Grouped Server:

Search Set Bundle post enforcement to remove Alcohol Use DisorderSearch Set BundleBundleObservation2Observation3Observation4Observation5BundleSearched for all Observations for given Patienttotal 4Observation2id=2Blood sugar 99Observation3id=3Blood Pressure 140/90Observation4id=4Weight 185 poundsObservation5id=5Weight 280 pounds
3:5.8.4.1-3 Figure: Search Set Bundle post enforcement to remove Alcohol Use Disorder


3:5.8.4 Advanced

Using Advanced Consent Content Profile

Examples for this Resource Profile:

3:5.8.4.1 Example of Advanced Search Set Bundle Processing

Given using Advanced consent that identifies that no Alcohol Use Disorder information shall be shared, and using the SLS model of “Query/Use enforcement” discussed in Appendix P: Security Labeling Service Models. Note that there are other SLS architecture models, the “Query/Use enforcement” is being used only for illustrative purposes. The Consent Authorization Server would provide ITI-71 an Access Token indicating no Alcohol Use Disorder information is allowed is communicated to the Consent Enforcement Point. The Consent Enforcement Point would first allow the Search to happen, and the raw output from a FHIR search would include all observations including the forbidden Observation. That would look like:

Search Set Bundle before SLS taggingSearch Set BundleBundleObservation1Observation2Observation3Observation4Observation5BundleSearched for all Observations for given Patienttotal 5Observation1id=1Alcohol per day 5Observation2id=2Blood sugar 99Observation3id=3Blood Pressure 140/90Observation4id=4Weight 185 poundsObservation5id=5Weight 280 pounds
3:5.8.4.1-1 Figure: Search Set Bundle before SLS tagging


In the “Query/Use enforcement” the Bundle would then be processed by the SLS and sensitivity and confidentiality tags would be added:

Search Set Bundle after SLS taggingSearch Set BundleBundleObservation1Observation2Observation3Observation4Observation5BundleSearched for all Observations for given Patienttotal 5Observation1Alchol Use DisorderRestricted Confidentialityid=1Alcohol per day 5Observation2Normal Confidentialityid=2Blood sugar 99Observation3Normal Confidentialityid=3Blood Pressure 140/90Observation4Normal Confidentialityid=4Weight 185 poundsObservation5Normal Confidentialityid=5Weight 20 stone
3:5.8.4.1-2 Figure: Search Set Bundle after SLS tagging


The tagged Bundle would then be processed by the Consent Enforcement Point, which will remove any Alcohol use Disorder information. Thus the first entry would be removed and the total decremented. The result would look like the following and be what is returned by the Grouped Server:

Search Set Bundle post enforcement to remove Alchol Use DisorderSearch Set BundleBundleObservation2Observation3Observation4Observation5BundleSearched for all Observations for given Patienttotal 4Observation2Normal Confidentialityid=2Blood sugar 99Observation3Normal Confidentialityid=3Blood Pressure 140/90Observation4Normal Confidentialityid=4Weight 185 poundsObservation5Normal Confidentialityid=5Weight 280 pounds
3:5.8.4.1-3 Figure: Search Set Bundle post enforcement to remove Alcohol Use Disorder


Note that the data returned may have the resulting security tags that the SLS applied, or those tags may be removed prior to the Grouped Server returning the results to the Grouped Client. This exposure of the tags is a policy decision that the PCF does not mandate.