FASTConsent - Scalable Consent Management v1.0.0-preview

Scalable Consent Management
1.0.0-preview - STU 1 PReview US

Scalable Consent Management, published by HL7 International / Community Based Collaborative Care. This guide is not an authorized publication; it is the continuous build for version 1.0.0-preview built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-consent-management/ and changes regularly. See the Directory of published versions

Resource Profile: FASTConsent

Official URL: http://hl7.org/fhir/us/consent-management/StructureDefinition/FASTConsent				Version: 1.0.0-preview	Highlight text changes?
Standards status: Trial-use				Maturity Level: 1	Computable Name: FASTConsent

This profile captures the details of a Patient's Consent.

Mandatory and Must Support Data Elements

The following data elements must always be present or must be supported if the data is present in the sending system Must Support. They are presented below in a simple human-readable explanation. Profile specific guidance and examples are provided as well. The Formal Views below provides the formal summary, definitions, and terminology requirements.

Must Have elements have a minimum cardinality of 1 or greater in this profile — they are always required to be present in a conformant instance. Must Support elements have a minimum cardinality of 0 but systems claiming conformance must be capable of populating them when the data is available, and receiving systems must be capable of processing them without error.

Each Consent Must Have:

a status (any value from the FHIR consent-state-codes value set is permitted; active is used for consents that are in force and inactive is used for revoked consents; other status values such as draft, entered-in-error, and rejected may be used as appropriate)
a scope (fixed to the code 'patient-privacy')
a category
one or more identifiers (at least one identifier is required to support cross-system identification of the Consent)
a patient (where the reference contains an identifier for the patient)
a dateTime
one or more performers (where each reference contains an identifier for the organization, patient, related person, or practitioner)
a source[x] that is either a DocumentReference with an attachment or a QuestionnaireResponse
one or more policies, each with a URI identifying the base policy governing this consent
a provision, that must include the following:
1. a type

Each Consent Must Support:

all Must Have elements
a Consent manager extension (backported from the R5 Consent resource)
a Consent controller extension (backported from the R5 Consent resource)
a provision, that must support the following:
1. an actor (where role is fixed to IRCP)
2. a purpose
3. a nested provision

Each Consent MUST NOT provide:

an organization - this is contained in the extensions
more than two levels of provision

Why Consent.scope Is Fixed

Consent.scope is fixed to the code patient-privacy from the FHIR consent-scope code system. This constraint is intentional and aligned with the IHE Privacy Consent on FHIR (PCF) Basic Consent profile, which applies the same fixed value.

The rationale is that this implementation guide is explicitly scoped to privacy consents — authorizations by a patient (or their representative) governing how health information may be collected, used, or disclosed. Other consent types defined in the FHIR base specification (such as research consents or advance directives) are out of scope for this guide. Fixing the scope code makes it unambiguous that a FAST Consent instance is a privacy consent, simplifies server-side filtering and subscription topic filtering, and ensures interoperability with systems implementing IHE-PCF.

A Consent resource that validates against this profile will also satisfy the IHE-PCF Basic Consent scope constraint, enabling implementers to simultaneously conform to both guides.

Constraints and Exceptions

In the base FHIR R4 Consent resource, the terms "constraint" and "exception" are used interchangeably to describe rules that refine the overall consent decision. For example, a Consent may permit access to all health information (a "permit" provision) with a constraint that excludes mental health records (a nested provision of type "deny"). In R4 the provision.type code deny is sometimes labelled an "exception" in documentation. This guide uses the terms interchangeably and does not distinguish between them.

Referencing External Participants

Since a FHIR reference can contain a RESTful id to a patient, organization, practitioner, or related person, and those RESTful ids may not be useful once a Consent instance has propogated to other consent servers, SC-8?^client:this guide requires that an external identifier for those participants SHALL be populated.^§1 ^§2 SC-8?^client:this guide requires that an external identifier for those participants SHALL be populated.^§1 ^§2

Usages:

Use this Profile: File Consent Operation Parameters
Refer to this Profile: FASTConsentAuditEvent and Revoke Consent Operation Parameters
Examples for this Profile: Consent/ConsentExample
CapabilityStatements using this Profile: Consent Server Capabilities and Consent Client Capabilities

You can also check for usages in the FHIR IG Statistics

Formal Views of Profile Content

Description Differentials, Snapshots, and other representations.

Key Elements Table
Differential Table
Snapshot Table
Statistics/References
All

Name	Flags	Card.	Type	Description & Constraints Filter: Bindings Constraints Obligations
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time Constraints: ppc-1, ppc-2, ppc-3, ppc-4, ppc-5
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
extension:manager	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent workflow management (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.manager Constraints: ext-1
extension:controller	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent Enforcer (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.controller Constraints: ext-1
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
identifier	SΣ	1..*	Identifier	Identifier for this record (external references) Example General: {"system":"http://acme.org/identifier/local/eCMS","value":"Local eCMS identifier"}
status	?!SΣ	1..1	code	draft \| proposed \| active \| rejected \| inactive \| entered-in-error Binding: ConsentState (required): Indicates the state of the consent.
scope	?!SΣ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Binding: ConsentScopeCodes (extensible): The four anticipated uses for the Consent Resource. Required Pattern: At least the following
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentscope
version		0..1	string	Version of the system - if relevant
code		1..1	code	Symbol in syntax defined by the system Fixed Value: patient-privacy
display		0..1	string	Representation defined by the system
userSelected		0..1	boolean	If this coding was chosen directly by the user
text		0..1	string	Plain text representation of the concept
category	SΣ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Binding: ConsentCategoryCodes (extensible): A classification of the type of consents found in a consent statement.
patient	SΣ	1..1	FASTReference(US Core Patient Profile)	Who the consent applies to
dateTime	SΣ	1..1	dateTime	When this Consent was created or indexed
performer	SΣ	0..*	FASTReference(US Core Organization Profile \| US Core Patient Profile \| US Core Practitioner Profile \| US Core RelatedPerson Profile \| US Core PractitionerRole Profile)	Who is agreeing to the policy and rules
source[x]	SΣ	1..1	Reference(US Core QuestionnaireResponse Profile \| FASTDocumentReference)	Source from which this consent is taken
policy	S	1..*	BackboneElement	Policies covered by this consent
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
uri	SC	1..1	uri	Specific policy covered by this consent
provision	SΣ	1..1	BackboneElement	Constraints on the base Consent.policy as defined by the URI element.
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type	SΣ	1..1	code	deny \| permit Binding: ConsentProvisionType (required): How a rule statement is applied, such as adding additional consent or removing consent.
actor	S	0..*	BackboneElement	Who\|what controlled by this rule (or group, by role)
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
role	S	1..1	CodeableConcept	How the actor is involved Binding: SecurityRoleType (extensible): How an actor is involved in the consent considerations. Required Pattern: At least the following
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
version		0..1	string	Version of the system - if relevant
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
display		0..1	string	Representation defined by the system
userSelected		0..1	boolean	If this coding was chosen directly by the user
text		0..1	string	Plain text representation of the concept
reference	S	1..1	Reference(Device \| Group \| CareTeam \| Organization \| Patient \| Practitioner \| RelatedPerson \| PractitionerRole)	Resource for the actor (or group, by role)
purpose	SΣ	0..*	Coding	Context of activities covered by this rule Binding: PurposeOfUse (3.1.0) (extensible): What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labels.
provision	S	0..*	BackboneElement	Nested Exception Rules
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
Documentation for this format

Terminology Bindings

Path	Status	Usage	ValueSet	Version	Source
Consent.status	Base	required	ConsentState	📍4.0.1	FHIR Std.
Consent.scope	Base	extensible	Consent Scope Codes	📍4.0.1	FHIR Std.
Consent.category	Base	extensible	Consent Category Codes	📍4.0.1	FHIR Std.
Consent.provision.type	Base	required	ConsentProvisionType	📍4.0.1	FHIR Std.
Consent.provision.actor.role	Base	extensible	SecurityRoleType	📍4.0.1	FHIR Std.
Consent.provision.purpose	Base	extensible	PurposeOfUse	📍3.1.0	THO v7.1

Constraints

Id	Grade	Path(s)	Description	Expression
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources	`contained.contained.empty()`
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource	`contained.where((('#'+id in (%resource.descendants().reference \| %resource.descendants().as(canonical) \| %resource.descendants().as(uri) \| %resource.descendants().as(url))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(canonical) = '#').exists()).not()).trace('unmatched', id).empty()`
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated	`contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()`
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label	`contained.meta.security.empty()`
dom-6	best practice	Consent	A resource should have narrative for robust management	text.`div`.exists()
ele-1	error	ALL elements	All FHIR elements must have a @value or children	`hasValue() or (children().count() > id.count())`
ext-1	error	ALL extensions	Must have either extensions or value[x], not both	`extension.exists() != value.exists()`
ppc-1	error	Consent	Either a Policy or PolicyRule	`policy.exists() or policyRule.exists()`
ppc-2	error	Consent	IF Scope=privacy, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()`
ppc-3	error	Consent	IF Scope=research, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='research').exists().not()`
ppc-4	error	Consent	IF Scope=adr, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()`
ppc-5	error	Consent	IF Scope=treatment, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()`

Name	Flags	Card.	Type	Description & Constraints Filter: Bindings Constraints Obligations
Consent		0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
extension:manager	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent workflow management (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.manager
extension:controller	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent Enforcer (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.controller
identifier	S	1..*	Identifier	Identifier for this record (external references)
status	S	1..1	code	draft \| proposed \| active \| rejected \| inactive \| entered-in-error
scope	S	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentscope
code		1..1	code	Symbol in syntax defined by the system Fixed Value: patient-privacy
category	S	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval
patient	S	1..1	FASTReference(US Core Patient Profile)	Who the consent applies to
dateTime	S	1..1	dateTime	When this Consent was created or indexed
performer	S	0..*	FASTReference(US Core Organization Profile \| US Core Patient Profile \| US Core Practitioner Profile \| US Core RelatedPerson Profile \| US Core PractitionerRole Profile)	Who is agreeing to the policy and rules
organization		0..0		Custodian of the consent
source[x]	S	1..1	Reference(US Core QuestionnaireResponse Profile \| FASTDocumentReference)	Source from which this consent is taken
policy	S	1..*	BackboneElement	Policies covered by this consent
uri	S	1..1	uri	Specific policy covered by this consent
provision	S	1..1	BackboneElement	Constraints on the base Consent.policy as defined by the URI element.
type	S	1..1	code	deny \| permit
actor	S	0..*	BackboneElement	Who\|what controlled by this rule (or group, by role)
role	S	1..1	CodeableConcept	How the actor is involved Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
reference	S	1..1	Reference(Device \| Group \| CareTeam \| Organization \| Patient \| Practitioner \| RelatedPerson \| PractitionerRole)	Resource for the actor (or group, by role)
purpose	S	0..*	Coding	Context of activities covered by this rule
provision	S	0..*	BackboneElement	Nested Exception Rules
provision		0..0		Nested Exception Rules
Documentation for this format

Description & Constraints Filter: Filters

Consent

C

0..*

Consent

A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time
Constraints: ppc-1, ppc-2, ppc-3, ppc-4, ppc-5

id

Σ

0..1

id

Logical id of this artifact

Terminology Bindings

Path	Status	Usage	ValueSet	Version	Source
Consent.language	Base	preferred	Common Languages	📍4.0.1	FHIR Std.
Consent.status	Base	required	ConsentState	📍4.0.1	FHIR Std.
Consent.scope	Base	extensible	Consent Scope Codes	📍4.0.1	FHIR Std.
Consent.category	Base	extensible	Consent Category Codes	📍4.0.1	FHIR Std.
Consent.policyRule	Base	extensible	Consent PolicyRule Codes	📍4.0.1	FHIR Std.
Consent.provision.type	Base	required	ConsentProvisionType	📍4.0.1	FHIR Std.
Consent.provision.actor.role	Base	extensible	SecurityRoleType	📍4.0.1	FHIR Std.
Consent.provision.action	Base	example	Consent Action Codes	📍4.0.1	FHIR Std.
Consent.provision.securityLabel	Base	extensible	SecurityLabels	📍4.0.1	FHIR Std.
Consent.provision.purpose	Base	extensible	PurposeOfUse	📍3.1.0	THO v7.1
Consent.provision.class	Base	extensible	Consent Content Class	📍4.0.1	FHIR Std.
Consent.provision.code	Base	example	Consent Content Codes	📍4.0.1	FHIR Std.
Consent.provision.data.meaning	Base	required	ConsentDataMeaning	📍4.0.1	FHIR Std.
Consent.provision.provision.type	Base	required	ConsentProvisionType	📍4.0.1	FHIR Std.
Consent.provision.provision.actor.role	Base	extensible	SecurityRoleType	📍4.0.1	FHIR Std.
Consent.provision.provision.action	Base	example	Consent Action Codes	📍4.0.1	FHIR Std.
Consent.provision.provision.securityLabel	Base	extensible	SecurityLabels	📍4.0.1	FHIR Std.
Consent.provision.provision.purpose	Base	extensible	PurposeOfUse	📍3.1.0	THO v7.1
Consent.provision.provision.class	Base	extensible	Consent Content Class	📍4.0.1	FHIR Std.
Consent.provision.provision.code	Base	example	Consent Content Codes	📍4.0.1	FHIR Std.
Consent.provision.provision.data.meaning	Base	required	ConsentDataMeaning	📍4.0.1	FHIR Std.

Constraints

Id	Grade	Path(s)	Description	Expression
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources	`contained.contained.empty()`
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource	`contained.where((('#'+id in (%resource.descendants().reference \| %resource.descendants().as(canonical) \| %resource.descendants().as(uri) \| %resource.descendants().as(url))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(canonical) = '#').exists()).not()).trace('unmatched', id).empty()`
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated	`contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()`
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label	`contained.meta.security.empty()`
dom-6	best practice	Consent	A resource should have narrative for robust management	text.`div`.exists()
ele-1	error	ALL elements	All FHIR elements must have a @value or children	`hasValue() or (children().count() > id.count())`
ext-1	error	ALL extensions	Must have either extensions or value[x], not both	`extension.exists() != value.exists()`
ppc-1	error	Consent	Either a Policy or PolicyRule	`policy.exists() or policyRule.exists()`
ppc-2	error	Consent	IF Scope=privacy, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()`
ppc-3	error	Consent	IF Scope=research, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='research').exists().not()`
ppc-4	error	Consent	IF Scope=adr, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()`
ppc-5	error	Consent	IF Scope=treatment, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()`

Summary

Mandatory: 8 elements
Must-Support: 19 elements
Prohibited: 2 elements

Structures

This structure refers to these other structures:

Extensions

This structure refers to these extensions:

Maturity: 1

Key Elements View

Name	Flags	Card.	Type	Description & Constraints Filter: Bindings Constraints Obligations
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time Constraints: ppc-1, ppc-2, ppc-3, ppc-4, ppc-5
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
extension:manager	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent workflow management (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.manager Constraints: ext-1
extension:controller	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent Enforcer (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.controller Constraints: ext-1
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
identifier	SΣ	1..*	Identifier	Identifier for this record (external references) Example General: {"system":"http://acme.org/identifier/local/eCMS","value":"Local eCMS identifier"}
status	?!SΣ	1..1	code	draft \| proposed \| active \| rejected \| inactive \| entered-in-error Binding: ConsentState (required): Indicates the state of the consent.
scope	?!SΣ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Binding: ConsentScopeCodes (extensible): The four anticipated uses for the Consent Resource. Required Pattern: At least the following
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentscope
version		0..1	string	Version of the system - if relevant
code		1..1	code	Symbol in syntax defined by the system Fixed Value: patient-privacy
display		0..1	string	Representation defined by the system
userSelected		0..1	boolean	If this coding was chosen directly by the user
text		0..1	string	Plain text representation of the concept
category	SΣ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Binding: ConsentCategoryCodes (extensible): A classification of the type of consents found in a consent statement.
patient	SΣ	1..1	FASTReference(US Core Patient Profile)	Who the consent applies to
dateTime	SΣ	1..1	dateTime	When this Consent was created or indexed
performer	SΣ	0..*	FASTReference(US Core Organization Profile \| US Core Patient Profile \| US Core Practitioner Profile \| US Core RelatedPerson Profile \| US Core PractitionerRole Profile)	Who is agreeing to the policy and rules
source[x]	SΣ	1..1	Reference(US Core QuestionnaireResponse Profile \| FASTDocumentReference)	Source from which this consent is taken
policy	S	1..*	BackboneElement	Policies covered by this consent
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
uri	SC	1..1	uri	Specific policy covered by this consent
provision	SΣ	1..1	BackboneElement	Constraints on the base Consent.policy as defined by the URI element.
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type	SΣ	1..1	code	deny \| permit Binding: ConsentProvisionType (required): How a rule statement is applied, such as adding additional consent or removing consent.
actor	S	0..*	BackboneElement	Who\|what controlled by this rule (or group, by role)
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
role	S	1..1	CodeableConcept	How the actor is involved Binding: SecurityRoleType (extensible): How an actor is involved in the consent considerations. Required Pattern: At least the following
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
version		0..1	string	Version of the system - if relevant
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
display		0..1	string	Representation defined by the system
userSelected		0..1	boolean	If this coding was chosen directly by the user
text		0..1	string	Plain text representation of the concept
reference	S	1..1	Reference(Device \| Group \| CareTeam \| Organization \| Patient \| Practitioner \| RelatedPerson \| PractitionerRole)	Resource for the actor (or group, by role)
purpose	SΣ	0..*	Coding	Context of activities covered by this rule Binding: PurposeOfUse (3.1.0) (extensible): What purposes of use are controlled by this exception. If more than one label is specified, operations must have all the specified labels.
provision	S	0..*	BackboneElement	Nested Exception Rules
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
Documentation for this format

Terminology Bindings

Path	Status	Usage	ValueSet	Version	Source
Consent.status	Base	required	ConsentState	📍4.0.1	FHIR Std.
Consent.scope	Base	extensible	Consent Scope Codes	📍4.0.1	FHIR Std.
Consent.category	Base	extensible	Consent Category Codes	📍4.0.1	FHIR Std.
Consent.provision.type	Base	required	ConsentProvisionType	📍4.0.1	FHIR Std.
Consent.provision.actor.role	Base	extensible	SecurityRoleType	📍4.0.1	FHIR Std.
Consent.provision.purpose	Base	extensible	PurposeOfUse	📍3.1.0	THO v7.1

Constraints

Id	Grade	Path(s)	Description	Expression
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources	`contained.contained.empty()`
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource	`contained.where((('#'+id in (%resource.descendants().reference \| %resource.descendants().as(canonical) \| %resource.descendants().as(uri) \| %resource.descendants().as(url))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(canonical) = '#').exists()).not()).trace('unmatched', id).empty()`
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated	`contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()`
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label	`contained.meta.security.empty()`
dom-6	best practice	Consent	A resource should have narrative for robust management	text.`div`.exists()
ele-1	error	ALL elements	All FHIR elements must have a @value or children	`hasValue() or (children().count() > id.count())`
ext-1	error	ALL extensions	Must have either extensions or value[x], not both	`extension.exists() != value.exists()`
ppc-1	error	Consent	Either a Policy or PolicyRule	`policy.exists() or policyRule.exists()`
ppc-2	error	Consent	IF Scope=privacy, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()`
ppc-3	error	Consent	IF Scope=research, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='research').exists().not()`
ppc-4	error	Consent	IF Scope=adr, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()`
ppc-5	error	Consent	IF Scope=treatment, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()`

Differential View

Name	Flags	Card.	Type	Description & Constraints Filter: Bindings Constraints Obligations
Consent		0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
extension:manager	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent workflow management (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.manager
extension:controller	S	0..*	Reference(Cross-version Profile for R5.HealthcareService for use in FHIR R4(0.1.0) \| HealthcareService \| Cross-version Profile for R5.Organization for use in FHIR R4(0.1.0) \| Organization \| Cross-version Profile for R5.Patient for use in FHIR R4(0.1.0) \| Patient \| Cross-version Profile for R5.Practitioner for use in FHIR R4(0.1.0) \| Practitioner)	R5: Consent Enforcer (new) URL: http://hl7.org/fhir/5.0/StructureDefinition/extension-Consent.controller
identifier	S	1..*	Identifier	Identifier for this record (external references)
status	S	1..1	code	draft \| proposed \| active \| rejected \| inactive \| entered-in-error
scope	S	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentscope
code		1..1	code	Symbol in syntax defined by the system Fixed Value: patient-privacy
category	S	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval
patient	S	1..1	FASTReference(US Core Patient Profile)	Who the consent applies to
dateTime	S	1..1	dateTime	When this Consent was created or indexed
performer	S	0..*	FASTReference(US Core Organization Profile \| US Core Patient Profile \| US Core Practitioner Profile \| US Core RelatedPerson Profile \| US Core PractitionerRole Profile)	Who is agreeing to the policy and rules
organization		0..0		Custodian of the consent
source[x]	S	1..1	Reference(US Core QuestionnaireResponse Profile \| FASTDocumentReference)	Source from which this consent is taken
policy	S	1..*	BackboneElement	Policies covered by this consent
uri	S	1..1	uri	Specific policy covered by this consent
provision	S	1..1	BackboneElement	Constraints on the base Consent.policy as defined by the URI element.
type	S	1..1	code	deny \| permit
actor	S	0..*	BackboneElement	Who\|what controlled by this rule (or group, by role)
role	S	1..1	CodeableConcept	How the actor is involved Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (Complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
reference	S	1..1	Reference(Device \| Group \| CareTeam \| Organization \| Patient \| Practitioner \| RelatedPerson \| PractitionerRole)	Resource for the actor (or group, by role)
purpose	S	0..*	Coding	Context of activities covered by this rule
provision	S	0..*	BackboneElement	Nested Exception Rules
provision		0..0		Nested Exception Rules
Documentation for this format

Snapshot ViewView

Description & Constraints Filter: Filters

Consent

C

0..*

Consent

A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time
Constraints: ppc-1, ppc-2, ppc-3, ppc-4, ppc-5

id

Σ

0..1

id

Logical id of this artifact

Terminology Bindings

Path	Status	Usage	ValueSet	Version	Source
Consent.language	Base	preferred	Common Languages	📍4.0.1	FHIR Std.
Consent.status	Base	required	ConsentState	📍4.0.1	FHIR Std.
Consent.scope	Base	extensible	Consent Scope Codes	📍4.0.1	FHIR Std.
Consent.category	Base	extensible	Consent Category Codes	📍4.0.1	FHIR Std.
Consent.policyRule	Base	extensible	Consent PolicyRule Codes	📍4.0.1	FHIR Std.
Consent.provision.type	Base	required	ConsentProvisionType	📍4.0.1	FHIR Std.
Consent.provision.actor.role	Base	extensible	SecurityRoleType	📍4.0.1	FHIR Std.
Consent.provision.action	Base	example	Consent Action Codes	📍4.0.1	FHIR Std.
Consent.provision.securityLabel	Base	extensible	SecurityLabels	📍4.0.1	FHIR Std.
Consent.provision.purpose	Base	extensible	PurposeOfUse	📍3.1.0	THO v7.1
Consent.provision.class	Base	extensible	Consent Content Class	📍4.0.1	FHIR Std.
Consent.provision.code	Base	example	Consent Content Codes	📍4.0.1	FHIR Std.
Consent.provision.data.meaning	Base	required	ConsentDataMeaning	📍4.0.1	FHIR Std.
Consent.provision.provision.type	Base	required	ConsentProvisionType	📍4.0.1	FHIR Std.
Consent.provision.provision.actor.role	Base	extensible	SecurityRoleType	📍4.0.1	FHIR Std.
Consent.provision.provision.action	Base	example	Consent Action Codes	📍4.0.1	FHIR Std.
Consent.provision.provision.securityLabel	Base	extensible	SecurityLabels	📍4.0.1	FHIR Std.
Consent.provision.provision.purpose	Base	extensible	PurposeOfUse	📍3.1.0	THO v7.1
Consent.provision.provision.class	Base	extensible	Consent Content Class	📍4.0.1	FHIR Std.
Consent.provision.provision.code	Base	example	Consent Content Codes	📍4.0.1	FHIR Std.
Consent.provision.provision.data.meaning	Base	required	ConsentDataMeaning	📍4.0.1	FHIR Std.

Constraints

Id	Grade	Path(s)	Description	Expression
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources	`contained.contained.empty()`
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource	`contained.where((('#'+id in (%resource.descendants().reference \| %resource.descendants().as(canonical) \| %resource.descendants().as(uri) \| %resource.descendants().as(url))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(canonical) = '#').exists()).not()).trace('unmatched', id).empty()`
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated	`contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()`
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label	`contained.meta.security.empty()`
dom-6	best practice	Consent	A resource should have narrative for robust management	text.`div`.exists()
ele-1	error	ALL elements	All FHIR elements must have a @value or children	`hasValue() or (children().count() > id.count())`
ext-1	error	ALL extensions	Must have either extensions or value[x], not both	`extension.exists() != value.exists()`
ppc-1	error	Consent	Either a Policy or PolicyRule	`policy.exists() or policyRule.exists()`
ppc-2	error	Consent	IF Scope=privacy, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()`
ppc-3	error	Consent	IF Scope=research, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='research').exists().not()`
ppc-4	error	Consent	IF Scope=adr, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()`
ppc-5	error	Consent	IF Scope=treatment, there must be a patient	`patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()`

Summary

Mandatory: 8 elements
Must-Support: 19 elements
Prohibited: 2 elements

Structures

This structure refers to these other structures:

Extensions

This structure refers to these extensions:

Maturity: 1

Other representations of profile: CSV, Excel, Schematron

Notes:

Below is an overview of the required Server RESTful FHIR interactions for this profile - for example, search and read operations - when supporting the FAST Consent interactions to access this profile's information (Profile Support + Interaction Support). See the FAST Consent Server CapabilityStatement for a complete list of supported RESTful interactions for this IG.

See the Search Syntax section for a description of the FHIR search syntax.

Mandatory Search Parameters:

The following search parameters and search parameter combinations SHALL be supported:^§SC-1

SHALL support both read Consent by id AND Consent search using the _id search parameter:^§SC-2

GET [base]/Consent/[id] or GET [base]/Consent?_id=[id]

Example:
1. GET [base]/Consent/1032702
2. GET [base]/Consent?_id=1032702
Implementation Notes: (how to search by the logical id of the resource)
SHALL support searching a consent by an identifier such as a CDA consent document using the identifier search parameter:^§SC-3

GET [base]/Consent?identifier={system|}[code]

Example:
1. GET [base]/Consent?identifier=http://hospital.smarthealthit.org|1032702
Implementation Notes: Fetches a bundle containing any Consent resources matching the identifier (how to search by token)
SHALL support searching a consent by a patient using the patient search parameter:^§SC-4

GET [base]/Consent?patient={type\}[id]

Example:
1. GET [base]/Consent?patient=Patient\1032702
Implementation Notes: Fetches a bundle containing any Consent resources matching the patient (how to search by reference)
SHALL support searching using the combination of the patient and status search parameters:^§SC-5

GET [base]/Consent?patient={type\}[id]&status=[code]

Example:
1. GET [base]/Consent?patient=Patient\1032702&status=active Implementation Notes: Fetches a bundle of all Consent resources matching the specified patient and status (how to search by reference and how to search by token)

Optional Search Parameters:

The following search parameter combinations SHOULD be supported:^§SC-6

SHOULD support searching using the combination of the patient and date search parameters:^§SC-7

GET [base]/Consent?patient={type\}[id]&date=[date]

Example:
1. GET [base]/Consent?patient=Patient\1032702&date=2024-03-20 Implementation Notes: Fetches a bundle of all Patient resources matching the specified patient and date (how to search by reference and how to search by date)

< prev

top

next >

IG © 2024+ HL7 International / Community Based Collaborative Care. Package hl7.fhir.us.consent-management#1.0.0-preview based on FHIR 4.0.1. Generated 2026-05-21
Links: Table of Contents | QA Report | Version History | | Propose a change