Thursday, May 18, 2017

Consent to deny Sharing for Treatment and Emergency Break-Glass

We have discussed in years past that Australia had a Privacy Consent where break-glass was not allowed. We understand that has changed to allow break-glass. Thus we didn't know of a case where a Consent forbid break-glass... I have been made aware of Utah HIE that has a checkbox on their Consent to forbid break-glass. This is a consent only for HIE, not for within a hospital environment; but it is relevant to our FHIR consent (and CDA consent) work. Thus I think it is useful for us to provide it as an example, and work through how it might be expressed.

The Utah HIE Consent Form is
https://uhin.org/wp-content/uploads/2017/01/cHIE_Patient_Participation_Form.pdf

Note, that in the context of a FHIR consent; this URL could be used as the Policy URI...  It is a general form that the Patient has some check boxes they can choose.

So given that we have an example that forbids Treatment but allows Break-Glass  (Note spell check needed)    http://build.fhir.org/consent-example-Emergency.html

We should likely create an example that forbids both Treatment and Emergency (Break-Glass). Something like this:

<Consent xmlns="http://hl7.org/fhir">  <id value="consent-example-No-Emergency"/> 
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>   Withhold Authorization for Treatment and for Emergency Treatment  </p> <p>     
Patient &quot;P. van de Heuvel&quot; wishes to have no data shared for Treatment or Emergency treatment use.   
An overall consent Directive, with an exception 
&quot;Deny&quot; of purposeOfUse &quot;TREAT&quot; sharing use and
&quot;Deny&quot; of purposeOfUse &quot;ETREAT&quot; sharing use
at &quot;Infoway&quot; HIE.   </p>
</div>
</text> 
<status value="active"/>
<category>
    <coding>
   <system value="http://loinc.org"/>
<code value="57016-8"/>
<display value="Privacy policy acknowledgement Document"/>
</coding>
</category>
<patient>
<reference value="Patient/f001"/>
<display value="P. van de Heuvel"/>
</patient> 
<dateTime value="2017-05-08"/>
<!--   not bound by a timeframe - Consent.period   -->
<!--   I assume the example given is Canada Infoway wide???  AND I assume it is desired to   state that in the Consent.authority element   -->
<organization>
<reference value="Organization/Infoway"/>
<display value="Canada Infoway"/>
</organization>
<!--   the text terms of the consent in lawyer speak   -->
<sourceAttachment>
<title value="The terms of the consent in lawyer speak."/>
<!--   likely use url pointer to common text   -->
</sourceAttachment> 
<!--       this is opt-out - e.g. nothing approved unless otherwise stated.    -->
<policyRule value="https://uhin.org/wp-content/uploads/2017/01/cHIE_Patient_Participation_Form.pdf"/> 
<!-- this policyRule is a multiple use policy. The Patient has expressed       both deny Treatment and deny Emergency  -->
<except>
<type value="deny"/>
<purpose>
<system value="http://hl7.org/fhir/v3/ActReason"/>
<code value="TREAT"/>
</purpose>
</except>
<except>
<type value="deny"/>
<purpose>
<system value="http://hl7.org/fhir/v3/ActReason"/>
<code value="ETREAT"/>
</purpose>
</except>
</Consent> 
I have filed a FHIR Change Request 13420

Other Privacy Consent topics 

Corrected the example to make more clear it is a "Privacy Consent" by specifying the Consent.category.