The HL7® FHIR® Connectathon Consumer Centered Data Exchange Track
In my previous article, Patient Consent Forms: Redundant in the World of OAuth, Part 1, I suggested providers to design their OAuth2 authorization challenge as a patient consent form so that patient consent can be digitally recorded during the OAuth dance. This would allow providers to share patient health records with the patient health apps much more efficiently without requiring separate paper/PDF consent forms, while still meeting the policy and regulatory requirements.
In this post, I will walk through a specific example of how to do this, and also discuss the differences in providers and patients’ perspectives on consent.
OAuth2 Authorization Challenge as a Patient Consent Form
First, let’s consider the scenarios from the Consumer Centered Data Exchange track at the FHIR Connectathon 16 in San Diego where a patient app can pull their health records from all of their providers in one place, or cause their EMR data to be sent from provider A to provider B. In both these scenarios, the provider may need an explicit patient consent or authorization form (often paper-based) signed by patient. So, how can we use OAuth2 challenge instead to capture patient consent?