Privacy Consent Directive resource that has a base that identifies the patient, authority, domain, location, recipient, grantor, data, and actions. These are the elements needed for an all-or-nothing kind of consent.
Then there are a set of exceptions to this base: additions or subtractions. The set of exceptions include a list of data objects, list of authors, list of recipients, list of Organizations, list of purposeOfUse, and Date Range.
All of this sits within broader policy that is not part of the Consent, but surrounds it. The operational access controls that cover the meaning of opt-in and opt-out; and also cover the case where no consent has been achieved.
Because there was discussion of some things that are clearly beyond what we are minimally trying to enable, I created some extensions: Authorization Service (such as OAuth/UMA); Computable Consent Rules (such as XACML); Notification endpoint to receive Disclosure events in AuditEvent form; and Witness reference for those that need to expose who was the witness.
There have been discussions of Digital Signature, but that is already supported through a Provenance.signature.
Clearly that is more simple than my first Consent resource
Updated 5/30/2016: Fix FHIR spelling in the title, and add background policy that covers operations and case where no consent has been achieved.