By Hans Buitendijk, Chair, EHR Association Privacy & Consent Task Force

In Part One of this two-part blog series, we introduced the challenges in today’s privacy and consent management landscape and discussed different approaches for rules management. In Part Two, we put forth a proposed roadmap for establishing the necessary framework for privacy and consent management. 

A Roadmap for a Complex Infrastructure

Defining the critical components and standards, and establishing the necessary infrastructure is no small undertaking. It is not sufficient to simply have standards on how to communicate any tags, such as HL7 DS4P for documents, FHIR Security Labels for FHIR resources, and the ARV segment for HL7 v2. Not only that, but more is needed when v2, CDA, or FHIR are used to communicate data that must have tags beyond the data itself to enable evaluation of rules by the receiving system. This is especially true when data can be exchanged in many other formats and ways, including proprietary formats, and when sensitivity is based on the context of multiple data elements that, on their own, would not be considered sensitive, as well as when a patient’s data sharing rules may not involve a well-defined set of data values.

The $64,000 question is, how can we make progress?