Thursday, May 18, 2017

Consent to deny Sharing for Treatment and Emergency Break-Glass

We have discussed in years past that Australia had a Privacy Consent where break-glass was not allowed. We understand that has changed to allow break-glass. Thus we didn't know of a case where a Consent forbid break-glass... I have been made aware of Utah HIE that has a checkbox on their Consent to forbid break-glass. This is a consent only for HIE, not for within a hospital environment; but it is relevant to our FHIR consent (and CDA consent) work. Thus I think it is useful for us to provide it as an example, and work through how it might be expressed.

The Utah HIE Consent Form is

Note, that in the context of a FHIR consent; this URL could be used as the Policy URI...  It is a general form that the Patient has some check boxes they can choose.

So given that we have an example that forbids Treatment but allows Break-Glass  (Note spell check needed)

We should likely create an example that forbids both Treatment and Emergency (Break-Glass). Something like this:

<Consent xmlns="">  <id value="consent-example-No-Emergency"/> 
<status value="generated"/>
<div xmlns="">
<p>   Withhold Authorization for Treatment and for Emergency Treatment  </p> <p>     
Patient &quot;P. van de Heuvel&quot; wishes to have no data shared for Treatment or Emergency treatment use.   
An overall consent Directive, with an exception 
&quot;Deny&quot; of purposeOfUse &quot;TREAT&quot; sharing use and
&quot;Deny&quot; of purposeOfUse &quot;ETREAT&quot; sharing use
at &quot;Infoway&quot; HIE.   </p>
<status value="active"/>
   <system value=""/>
<code value="57016-8"/>
<display value="Privacy policy acknowledgement Document"/>
<reference value="Patient/f001"/>
<display value="P. van de Heuvel"/>
<dateTime value="2017-05-08"/>
<!--   not bound by a timeframe - Consent.period   -->
<!--   I assume the example given is Canada Infoway wide???  AND I assume it is desired to   state that in the Consent.authority element   -->
<reference value="Organization/Infoway"/>
<display value="Canada Infoway"/>
<!--   the text terms of the consent in lawyer speak   -->
<title value="The terms of the consent in lawyer speak."/>
<!--   likely use url pointer to common text   -->
<!--       this is opt-out - e.g. nothing approved unless otherwise stated.    -->
<policyRule value=""/> 
<!-- this policyRule is a multiple use policy. The Patient has expressed       both deny Treatment and deny Emergency  -->
<type value="deny"/>
<system value=""/>
<code value="TREAT"/>
<type value="deny"/>
<system value=""/>
<code value="ETREAT"/>
I have filed a FHIR Change Request 13420

Other Privacy Consent topics 

Corrected the example to make more clear it is a "Privacy Consent" by specifying the Consent.category.