Scalable Consent Management
0.1.0 - ci-build
Scalable Consent Management
0.1.0 - ci-build
Scalable Consent Management, published by HL7 International / Community Based Collaborative Care. This guide is not an authorized publication; it is the continuous build for version 0.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-consent-management/ and changes regularly. See the Directory of published versions
| Page standards status: Trial-use | Maturity Level: 1 |
<Requirements xmlns="http://hl7.org/fhir">
<id value="technical-specification-client"/>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml"><p class="res-header-id"><b>Generated Narrative: Requirements technical-specification-client</b></p><a name="technical-specification-client"> </a><a name="hctechnical-specification-client"> </a><p>These requirements apply to the actor <a href="ActorDefinition-client.html">Client</a></p><table class="grid"><tr><td><b><a name="67"> </a></b>requirement-67</td><td>SHALL</td><td><div><p>Consent Client SHALL query the consent administration service for the identifiers of the involved patients, practitioners, organizations, and related persons<br/><br/>Not testable yet - need lots more details about the lifecycle of relates resource instances.
Query or match?
Implies CAS is an MPI and similar for other resources?
Doesn’t say what triggers these queries to occur, or what effect it has on workflows, or whether discovered identifiers are used in resources...</p>
</div><p>Links: </p><ul><li>Derived From: <code>HL7 FAST Consent IG</code></li><li>References: <a href="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=client%20systems%20SHALL%20query%20the%20consent%20administration%20service%20for%20the%20identifiers%20of%20the%20involved%20patients%2C%20practitioners%2C%20organizations%2C%20and%20related%20persons">https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html</a></li></ul></td></tr><tr><td><b><a name="202"> </a></b>requirement-202</td><td>MAY</td><td><div><p>Consent Client MAY subscribe to Consent topics as defined by the FAST Subscription Topic<br/><br/>- No conformance words "client will...", so not clear which actors SHALL or MAY support. For now, treating as MAY for both clients and servers - tests can be conditional.</p>
<ul>
<li>Nature of topic is it allows combinations of criteria. I'll call out each criterion below for traceability.</li>
<li>TBD whether there need to be requirements for CAS to detect and fire Consent events or if implied by subs framework.</li>
</ul>
</div><p>Links: </p><ul><li>Derived From: <code>HL7 FAST Consent IG</code></li><li>References: <a href="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=To%20register%20a%20subscription%2C%20client%20systems%20will%20POST%20to%20a%20consent%20administration%20service%27s%20Subscription%20endpoint">https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html</a></li></ul></td></tr><tr><td><b><a name="265"> </a></b>requirement-265</td><td>SHALL</td><td><div><p>This guide mandates that Subscriptions be used<br/><br/>Need conformance words - who does this apply to? Assuming clients, but which ones? What triggering actions? Are clients required to support only, or that they positively subscribe to specific other systems? Suggest referencing section with normative workflows.</p>
</div><p>Links: </p><ul><li>Derived From: <code>HL7 FAST Consent IG</code></li><li>References: <a href="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=this%20guide%20mandates%20that%20Subscriptions%20be%20used">https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html</a></li></ul></td></tr><tr><td><b><a name="167"> </a></b>requirement-167</td><td>SHALL</td><td><div><p>If a system accesses a Consent instance for determining whether information can be accessed, the Record Disclosure Operation SHALL be used<br/><br/>- Need to clarify which system has the responsibility for calling this - assuming Consent Client, calling the CAS.</p>
<ul>
<li>For now, assuming client calls after accessing.</li>
</ul>
</div><p>Links: </p><ul><li>Derived From: <code>HL7 FAST Consent IG</code></li><li>References: <a href="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=The%20Record%20Disclosure%20Operation%20SHALL%20be%20used%20when%20a%20system%20accesses%20a%20Consent%20instance%20for%20determining%20whether%20informtion%20can%20be%20accessed">https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html</a></li></ul></td></tr><tr><td><b><a name="267"> </a></b>requirement-267</td><td>SHALL</td><td><div><p>Consent Client SHALL support AuditEvent search by FASTAuditEventConsent<br/><br/>Implied - need requirement</p>
</div><p>Links: </p><ul><li>Derived From: <code>HL7 FAST Consent IG</code></li><li>References: <a href="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=systems%20SHALL%20support%20the,consent">https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html</a></li></ul></td></tr><tr><td><b><a name="299"> </a></b>requirement-299</td><td>SHALL</td><td><div><p>Consent Client SHALL support AuditEvent search by patient<br/><br/>Implied - need requirement</p>
</div><p>Links: </p><ul><li>Derived From: <code>HL7 FAST Consent IG</code></li><li>References: <a href="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=systems%20SHALL%20support%20the,patient">https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html</a></li></ul></td></tr></table></div>
</text>
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg">
<valueCode value="cbcc"/>
</extension>
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm">
<valueInteger value="1">
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-conformance-derivedFrom">
<valueCanonical
value="http://hl7.org/fhir/us/consent-management/ImplementationGuide/hl7.fhir.us.consent-management"/>
</extension>
</valueInteger>
</extension>
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status">
<valueCode value="trial-use">
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-conformance-derivedFrom">
<valueCanonical
value="http://hl7.org/fhir/us/consent-management/ImplementationGuide/hl7.fhir.us.consent-management"/>
</extension>
</valueCode>
</extension>
<url
value="http://hl7.org/fhir/us/consent-management/Requirements/technical-specification-client"/>
<version value="0.1.0"/>
<name value="TechnicalSpecificationClient"/>
<title value="Technical Specification Client"/>
<status value="active"/>
<experimental value="false"/>
<date value="2025-09-03T19:43:24-04:00"/>
<publisher value="HL7 International / Community Based Collaborative Care"/>
<contact>
<name value="HL7 International / Community Based Collaborative Care"/>
<telecom>
<system value="url"/>
<value value="http://www.hl7.org/Special/committees/cbcc"/>
</telecom>
</contact>
<description value="Technical Specification Requirements for Client"/>
<jurisdiction>
<coding>
<system value="urn:iso:std:iso:3166"/>
<code value="US"/>
<display value="United States of America"/>
</coding>
</jurisdiction>
<actor
value="http://hl7.org/fhir/us/consent-management/ActorDefinition/client"/>
<statement>
<key value="67"/>
<label value="requirement-67"/>
<conformance value="SHALL"/>
<conditionality value="false"/>
<requirement
value="Consent Client SHALL query the consent administration service for the identifiers of the involved patients, practitioners, organizations, and related persons<br/><br/>Not testable yet - need lots more details about the lifecycle of relates resource instances.
Query or match?
Implies CAS is an MPI and similar for other resources?
Doesn’t say what triggers these queries to occur, or what effect it has on workflows, or whether discovered identifiers are used in resources..."/>
<derivedFrom value="HL7 FAST Consent IG"/>
<reference
value="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=client%20systems%20SHALL%20query%20the%20consent%20administration%20service%20for%20the%20identifiers%20of%20the%20involved%20patients%2C%20practitioners%2C%20organizations%2C%20and%20related%20persons"/>
</statement>
<statement>
<key value="202"/>
<label value="requirement-202"/>
<conformance value="MAY"/>
<conditionality value="false"/>
<requirement
value="Consent Client MAY subscribe to Consent topics as defined by the FAST Subscription Topic<br/><br/>- No conformance words "client will...", so not clear which actors SHALL or MAY support. For now, treating as MAY for both clients and servers - tests can be conditional.
- Nature of topic is it allows combinations of criteria. I'll call out each criterion below for traceability.
- TBD whether there need to be requirements for CAS to detect and fire Consent events or if implied by subs framework."/>
<derivedFrom value="HL7 FAST Consent IG"/>
<reference
value="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=To%20register%20a%20subscription%2C%20client%20systems%20will%20POST%20to%20a%20consent%20administration%20service%27s%20Subscription%20endpoint"/>
</statement>
<statement>
<key value="265"/>
<label value="requirement-265"/>
<conformance value="SHALL"/>
<conditionality value="false"/>
<requirement
value="This guide mandates that Subscriptions be used<br/><br/>Need conformance words - who does this apply to? Assuming clients, but which ones? What triggering actions? Are clients required to support only, or that they positively subscribe to specific other systems? Suggest referencing section with normative workflows."/>
<derivedFrom value="HL7 FAST Consent IG"/>
<reference
value="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=this%20guide%20mandates%20that%20Subscriptions%20be%20used"/>
</statement>
<statement>
<key value="167"/>
<label value="requirement-167"/>
<conformance value="SHALL"/>
<conditionality value="false"/>
<requirement
value="If a system accesses a Consent instance for determining whether information can be accessed, the Record Disclosure Operation SHALL be used<br/><br/>- Need to clarify which system has the responsibility for calling this - assuming Consent Client, calling the CAS.
- For now, assuming client calls after accessing."/>
<derivedFrom value="HL7 FAST Consent IG"/>
<reference
value="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=The%20Record%20Disclosure%20Operation%20SHALL%20be%20used%20when%20a%20system%20accesses%20a%20Consent%20instance%20for%20determining%20whether%20informtion%20can%20be%20accessed"/>
</statement>
<statement>
<key value="267"/>
<label value="requirement-267"/>
<conformance value="SHALL"/>
<conditionality value="false"/>
<requirement
value="Consent Client SHALL support AuditEvent search by FASTAuditEventConsent<br/><br/>Implied - need requirement"/>
<derivedFrom value="HL7 FAST Consent IG"/>
<reference
value="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=systems%20SHALL%20support%20the,consent"/>
</statement>
<statement>
<key value="299"/>
<label value="requirement-299"/>
<conformance value="SHALL"/>
<conditionality value="false"/>
<requirement
value="Consent Client SHALL support AuditEvent search by patient<br/><br/>Implied - need requirement"/>
<derivedFrom value="HL7 FAST Consent IG"/>
<reference
value="https://build.fhir.org/ig/HL7/fhir-consent-management/technical.html#:~:text=systems%20SHALL%20support%20the,patient"/>
</statement>
</Requirements>
IG © 2024+ HL7 International / Community Based Collaborative Care. Package hl7.fhir.us.consent-management#0.1.0 based on FHIR 4.0.1. Generated 2025-09-05
Links: Table of Contents |
QA Report
| Version History |
|
Propose a change