The Privacy Consent on FHIR (PCF) profile has been published for public comment. The announcement follows:
The Privacy Consent on FHIR (PCF) Profile provides support for patient privacy consents and access control where a FHIR API is used to access Document Sharing Health Information Exchanges. This profile includes both Consent profiling and access controls profiling of oAuth access token.
This first release to Public Comment includes both Consent profiling and Access Control decisions and enforcement. The Consent profiling supports many Basic, Intermediate, and Advanced needs. There are a rudimentary set of privacy policies, and an Appendix that discusses the various attributes and considerations one must consider when writing the privacy policies to be used. This Appendix also includes discussion about refrains and obligations, the FHIR Consent fundamentals, and Security Labeling Service models. The PCF includes technical profiling on the oAuth (IUA) access token to enable decisions to be based on Consent and to carry residual rules for the enforcement point to enforce. The PCF includes technical profiling of the Consent with various complexity represented in Options to enable basic systems to improve over time to add features in support of intermediary and advanced use-cases. The profile includes 21 examples of Consents using the profiling, and for each of them shows the oAuth access token impact.