John Moehrke about FHIR servers

Introduction to the FHIR Standard and Privacy Consents
The discussion begins with an exploration of how the FHIR standard can be utilized to support privacy consents. The speaker, who serves as a co-chair for both the HL7 Security Workgroup and IAG's IT infrastructure, expresses enthusiasm for the growing interest in this topic. The focus is on an implementation guide from IAG that employs the FHIR consent resource, highlighting its relevance for upcoming presentations.

 

Foundations of Privacy Consent
This section covers the foundational aspects of privacy consent, including capturing different types of consents and making authorization decisions. The speaker distinguishes between simple consents, which may not require standardization within organizations, and centralized consent authorities that facilitate health information exchanges. The importance of understanding implied versus explicit consent is emphasized, alongside the introduction of intermediate and advanced consent types that leverage OAuth and data tagging.

 

Writing Privacy Policies
The writing of privacy policies is identified as a critical aspect of managing consent. This involves determining who has authority over consents, addressing conflicting consents, and establishing audit logging protocols. The speaker advocates for security labeling services to identify sensitive information within datasets, setting the stage for effective management of privacy consents.

 

Recording Consent Ceremonies
Here, the focus shifts to how to document consent ceremonies effectively. The speaker discusses maintaining privacy consents over time due to evolving policies and workflows. The integration of consent enforcement into OAuth flows is highlighted, illustrating how these elements interact within the broader framework of privacy consent.

 

Access Control Mechanisms
This section outlines the mechanisms for access control related to privacy consents. A diagram illustrates the classic OAuth triplet alongside additional consent authorization servers that aid in making access control decisions. The speaker explains how these components work together to determine whether access should be granted or denied based on specific consent conditions.

 

Advanced Consent Scenarios
The discussion progresses to advanced consent scenarios that utilize security labeling services. These services classify sensitive information and allow for nuanced consent options, enabling users to specify what information can be shared under certain conditions. This complexity in managing privacy consents is emphasized as essential for effective healthcare data management.

 

Conclusion and Future Directions
In conclusion, the speaker opens the floor for questions regarding real-world implementation of these concepts. They stress the need for a maturity model that helps implementers navigate federal and state privacy requirements effectively. Ongoing dialogue within working groups focused on consent frameworks is encouraged as a pathway for future development in this area.