A Short History of Digital Consent in Healthcare

_At JPM this year? Join us in person in San Francisco on January 15, 2025 for Medplum & Flexpa: Devtools for research, commercialization and more in life sciences. We'll show you how to build specialized healthcare applications in life sciences. Register for an invite and let us know that you want to come to this engineering focused event._

Nominative determinism is real, and when a healthcare IT working group is named FAST 🚀 (HL7 FHIR at Scale Taskforce), it’s a promising sign. Among FAST’s newer initiatives, FAST Consent stands out as a project with a ton of potential to address one of healthcare’s most persistent challenges: giving patients granular control over their health data.

The Foundation of Digital Consent

It may seem self-evident that patients should be able to manage who has access to their health data — it's our data, after all. However, the mechanisms that enable interoperable data sharing with robust privacy safeguards have proven complex to implement. Over the past two decades, a variety of stakeholder groups have tackled these challenges, yielding a rich landscape of standards, guidelines, and frameworks.

Flexpa has collected together a timeline of the landmark initiatives in digital consent, ending with recent insights from FAST’s August 2023 "Consent at Scale" Discovery Report, which was the precusor report to the FAST Consent initiative.

If you're interested in learning more, you should definitely attend the bi-weekly FAST Consent working group community calls - we'll see you there!

A Timeline of Digital Consent Standards

Early Standards and Frameworks (Mid-2000s – Early 2010s)

The Integrating the Healthcare Enterprise (IHE) initiative was among the first to systematically address digital consent:

• Basic Patient Privacy Consents (BPPC) – circa 2006–2008
  Pioneered a standardized approach for capturing high-level patient privacy preferences across organizations and HIEs.

• Advanced Patient Privacy Consents (APPC) – Early to Mid-2010s
  Extended BPPC to support finer-grained consent policies (e.g., partial data sharing). While adoption was limited, it laid important groundwork for more nuanced rules.

• Privacy Consent on FHIR (PCF) Implementation Guide – Late 2010s
  Adapted IHE’s privacy concepts to the FHIR ecosystem, demonstrating how FHIR resources can encode and enforce consent directives.

International Standards and Modern Frameworks (Mid-2010s – Early 2020s)

Global standard-setting bodies introduced user-centric models for documenting, proving, and verifying consent:

• Kantara Initiative’s Consent Receipt – 2016–2017 → ISO 29184 (2020)
  Designed as a standardized method for capturing user consent events. Adoption into ISO 29184 reinforced its global significance.

• Anchored Notice and Consent Receipt Record (ANCR Record) – Late 2010s – Early 2020s
  Builds on the Consent Receipt concept by anchoring consent details with auditable proofs, making it more robust and transparent.

Government and Industry Initiatives (Late 2010s – Present)

Government-led programs and private-sector collaborations have further advanced the conversation:

• ONC’s LEAP Computable Consent Project – ~2019
  Explores machine-readable consent models and real-world implementations to inform national policy. This was an important and major initiative - and is also a FHIR-native approach (see below). As Mohammad Jafari describes it:

  The project proved how computable consents, based on the FHIR Consent resource, can be used to capture, manage, and enforce patients’ privacy preferences in a wide range of use cases, including exchange of patient information between providers, research, treatment, and advance healthcare directives, as well as across different technologies including HL7v2.0 messaging, eHealth Exchange, Direct Exchange, and FHIR.

• DirectTrust’s Privacy Enhancing Health Record Locator Service (PEHRLS) – Early 2020s
  Focuses on enabling secure, privacy-protecting data exchange across organizations—though not a formal “standard,” it shows innovation in practical service frameworks.

• Project Unify and Stewards of Change – 2010s–Ongoing
  Targets multi-stakeholder, cross-jurisdictional data-sharing models that could inform regional or nationwide consent frameworks.

• TEFCA (Trusted Exchange Framework and Common Agreement) – Post-2016
  Evolving from the 21st Century Cures Act, TEFCA introduced “Individual Access Services” and a more concrete take on patient consent for nationwide interoperability.

FHIR-Native Approaches (Late 2010s – Present)

FHIR (Fast Healthcare Interoperability Resources) has become the de facto standard for modern healthcare data exchange, introducing consent models tailored to its resource-based architecture:

• FHIR’s Native Consent Resource – Introduced in FHIR R4 (2018–2019)
  A baseline for capturing, retrieving, and enforcing privacy directives via FHIR.

• Da Vinci PDex Consent – 2019 - present
  Extends FHIR Consent specifically for payer data exchange, demonstrating how granular or condition-based consent can facilitate value-based care workflows.

Regional and Specialized Solutions (Mid-2010s – Present)

State and regional networks, alongside specialized workgroups, have introduced consent platforms tailored to local contexts and patient populations:

• MiHIN’s HIE Consent Management Platform – 2010s
  A statewide system (Michigan) implementing an end-to-end electronic consent process for specially protected health information.

• BPM+ Health Consent Workflows – Late 2010s
  Applies business process modeling (BPM) to clinical and administrative workflows, ensuring privacy rules can be both executed and audited.

• SHIFT Interoperability Group (formerly PP2PI) – Emerging in the 2020s
  Plans pilots (e.g., at HIMSS) exploring equitable data sharing, privacy, and identity. Illustrates how cross-organizational solutions can flourish when multiple stakeholders align.

Recent Insights: FAST “Consent at Scale” Discovery Report (August 2023)

In August 2023, FAST published its Consent at Scale Discovery Report, a landscape assessment revealing key coverage gaps in existing consent standards — and recommending how FAST Consent can fill them. Below are several highlights:

1. Scaling Consent Across Organizations

   • Many frameworks (e.g., LEAP Consent, Stewards of Change) partially address multi-party scenarios or decentralized consent management. However, full "consent at scale" requires robust bulk operations, delegated consent workflows (e.g., minors/adolescents), and cross-organization identity management (per the FAST Identity IG).

2. US Core Consent Profile

   • The report recommends creating a US Core profile on the FHIR Consent resource. This profile would narrow down a standard set of attributes and value sets suitable for privacy and research use cases in U.S. healthcare.
   • Adopting such a profile at scale could pave the way for regulators and vendors to invest in a consistent consent workflow, bridging FHIR DS4P, IHE’s PCF, and other existing guides.

3. Consent Management Implementation Guide

   • Beyond just the resource definition, the community needs actionable workflows—sometimes called "consent ceremonies."
   • The recommended IG would explain how to handle multi-party approval, partial completions, revocations, and advanced use cases like delegations or “bulk invites” for an entire population.
   • It would also detail how to leverage additional FHIR resources (e.g., Task, Questionnaire, Subscription, AuditEvent, Provenance) to implement more sophisticated user journeys and auditing.

4. Consent Decision & Enforcement APIs

   • The report emphasizes the separation of decision logic from enforcement logic, enabling external consent engines to evaluate requests consistently.
   • This approach allows different applications and services to query a standardized “Consent Decision API,” receive the verdict, and then enforce or deny data access accordingly.

5. Handling Instructions & Residual Policies

   • A recurring theme is the need to communicate extra obligations (“delete after use”) or refrains (“do not further disclose”) to downstream systems.
   • The FHIR Data Segmentation for Privacy (DS4P) IG and IHE’s PCF provide starting points, but further work is needed for real-world adoption.

6. Audit and Transparency

   • The report calls for robust “disclosure audit infrastructure” so that patients and auditors can see which transactions were authorized or denied by a given consent, essential for trust and continuous improvement.

Why This Matters for FAST Consent

FAST Consent is uniquely positioned to integrate these insights:

• Leverage Existing IGs, Bridge the Gaps
  By using FHIR Consent, DS4P, IHE PCF, and lessons from LEAP or SHIFT, FAST Consent can focus on unifying the best ideas, ensuring they operate seamlessly at scale.

• Develop US Core Consent + Implementation Guide
  Building and championing a US Core Consent profile plus a Consent Management Implementation Guide will help standardize how developers implement consent use cases, from simple “record and fetch” scenarios to complex delegation workflows.

• Enable Interoperable, Computable Consent
  True “consent at scale” demands machine-readable, widely accepted standards. FAST can help finalize the APIs and workflows that make consent decisions portable and trustworthy across organizational boundaries.

The Path Forward

Digital consent in healthcare has evolved significantly, but the real challenge remains: How do we make consent truly scalable and interoperable across diverse systems, organizations, and patient needs?

Flexpa is excited to be a part of the answer to this question - patient consent is a critical part of our mission to refactor healthcare. Major new initatives like CMS-0057 are bringing consent to the forefront. At the Janurary HL7 Connectathon, Flexpa will become the first public implementers of member consent management and records retrieval for CMS-0057 Payer-to-Payer data exchange.