Saturday, August 20, 2016

Consent Process

Too often Consent is seen as a one-time thing. It is far more than this. Here is an infographic.

My point with this is that there many big steps:

  • Defining Policy
  • Act of Consent from the Patient
  • Enforcing Consents 
  • Notification of Use
This graphic tends to imply these are four clean steps that are done in sequence. When actually they might happen in various sequences.

For example: Imagine a Research project that wants to use specific kinds of data. They do need to have their policies defined. They might have scouting authorization to find potential cohort participants. This scouting, only returns potential pseudonymous identifiers, no data. This access to find the potential cohort results in a notification to the patient that a specific Research project is interested. This notification encourages the patient to review the terms of the Research project and agree to participate. Thus now the Research project can access the data. 

More details to come. Articles on the Patient Privacy Choice topic, including past and future.


  1. Dear John, what do you mean research project here, is it clinical trials or any project like machine learning or analytics which uses data to derive insights out of it. Also, for normal research projects (analytics/AI), I think privacy consent directive scope is recommended in FHIR consent resource definition.

    1. The scope of any specific Privacy Consent would be defined in the Consent.policy. Thus there is no generic answer to the question. Some Consents may cover a very broad scope including Treatment, Payment, Operations, and use in AI algorithm training. While others may be specific only to a clinical trial for medication X covering COVID-19. The scope is important, and is often tied directly to PurposeOfUse vocabulary, so often the scope is defined in the .provision.purpose