The Standard

The Official Blog of Health Level Seven® International
visit HL7.org 

From Fragmentation to Trust: How FAST Consent Enables Patient Empowerment and Scalable, Secure Data Sharing

[fa icon="calendar"] May 21, 2026 12:44:29 PM / by Janice Reese

FAST

Co-authored by Kevin Day, Consent Implementation Guide Co-Lead, FAST FHIR Accelerator

MEET MARIA

Maria is 62 and just home from the hospital after a procedure that requires careful follow-up. Her care team has discharged her with medications, recovery instructions, and a treatment plan her health plan put in place to manage cost. Her husband took time off work to help her recover at home—administering medications, watching for warning signs, coordinating with the visiting home health nurse, and calling the health plan when questions came up about coverage and the treatment plan.

There is one complication. Decades ago, before Maria met her husband, she received sensitive care she has chosen not to share with him; care that is in her medical record and always will be. So when the hospital asked Maria at discharge whether she wanted to grant her husband access to her clinical information, she faced a binary choice: all or nothing. There was no option to share the medications and care plan he needed while keeping the rest of her history private. The system doesn't support that nuance, so Maria selected nothing.

Her husband helps her recover with whatever Maria can tell him in the moment—what each pill is for, when the next appointment is, and what the home health nurse said. When he calls the health plan to ask why one therapy was authorized but another was not, he is told he is not on the consent and the conversation cannot continue. The clinical care suffers. So does the emotional care. Two weeks in, he is frustrated, and Maria is exhausted from carrying both her recovery and the running translation of her own chart.

Maria’s story is not unusual. Across the country, patients, providers, payers, and the family members who do the actual work of recovery face a quiet crisis hiding inside healthcare’s interoperability progress: the problem of consent.

The Hidden Roadblock: When Consent Doesn’t Scale

Healthcare interoperability has made remarkable strides. Data can now move faster, further, and more securely than ever before. Yet one foundational challenge continues to limit what that progress can achieve: how patient consent is captured, communicated, and enforced across organizations.

Today, consent is fragmented. A patient authorizes data sharing at one organization, but that authorization rarely travels with the data. In the context of data privacy and consent, a “policy” is the set of provisions that govern a specific grantor–grantee relationship—what may be disclosed, to whom, for what purpose, for how long, and under what conditions. Those provisions also drive enforcement decisions when consents conflict, such as when an additive permission from one source overlaps with a restriction from another. The operational burden of capturing them varies widely depending on the setting. In clinical environments, consent is typically tied to an encounter or event, such as a 30-minute office visit or a three-week inpatient stay, and expires when that event ends. Health plans, by contrast, capture consent that remains valid until a specified expiration date or until the patient revokes it. The result is a tangled consent relationship tree, where each branch—provider, payer, app, caregiver, personal representative—holds a different fragment of the patient’s intent, with different lifespans, scopes, and enforcement rules. Because no two systems interpret these provisions the same way, organizations fall back on manual review to reconcile conflicts, slowing workflows to a crawl at the exact moments when trust matters most. Compliance burden rises. Patients are left in the dark about how their information is used. And interoperability stalls precisely where it should accelerate.

This is the problem the HL7® FHIR® at Scale Taskforce (FAST) set out to solve.

FAST Consent: Infrastructure, Not Overhead

What if consent worked the way the internet works—as reliable, invisible infrastructure that simply functions, everywhere, every time?

That is the vision behind FAST Consent: a standardized, distributed, event-driven consent framework built on FHIR that functions as foundational infrastructure for the entire healthcare ecosystem. Rather than centralizing consent in a single repository, FAST enables a distributed model where:

  • Consent is captured and managed at the source
  • It can be discovered across networks and organizations using standardized queries
  • It is interpreted consistently using shared profiles, value sets, and semantics

The result is consent that is portable and computable—capable of supporting real-time decision-making wherever data exchange occurs, without requiring manual intervention or duplicated effort.

Built for a Multi-Network World

Healthcare data exchange does not happen in a single network—it happens across many: payer-to-provider, QHIN-to-QHIN, HIE-to-public health, app-to-EHR. FAST Consent is designed with this complexity in mind.

Using standardized FHIR Consent profiles and search parameters, participants in any of these environments can:

  • Determine whether patient consent exists for a given data exchange
  • Understand what categories of data are authorized to be shared
  • Identify authorized individuals and delegates (such as caregivers or guardians)
  • Carry forward, across organizational boundaries, the specific provisions captured during the consent ceremony—the legally identified grantor and grantee, and the additive or restrictive privileges that extend or limit access beyond what federal or state law would otherwise grant—so downstream systems can enforce them consistently

Think of it as a shared consent layer that travels with the transaction—enabling trust without requiring tight coupling between systems or organizations.

The Consent Relationship Tree: A Living Graph, Not a Static Document

To understand why FAST Consent is structured the way it is, it helps to picture consent not as a document but as a living relationship graph—a tree.

The root is the patient—the source of all authority. Every downstream relationship traces back to the root, which is what makes patient-centric control real rather than rhetorical and what aligns FAST Consent with TEFCA’s Individual Access Services expectations and CMS Aligned Networks requirements for patient preference and control.

The branches are the relationships the patient extends to others: provider organizations, payers, digital health apps, caregivers, family members, and legal proxies. Some branches are direct—patient to specialist. Others are delegated—from patient to caregiver to specialist—and the branching can extend further as networks query one another. A patient consents to Provider A; Provider A participates in Network X; Network X queries Payer B through another network. The tree grows: Patient → Provider A → Network X → Payer B. FAST Consent standardizes how that chain of trust is expressed, queried, and validated end to end.

The leaves are the specific permissions: what each authorized actor may do, for what purpose, over what data, for how long, and under what obligations. A single leaf might authorize treatment access; another, payment operations such as prior authorization; another, data sharing for care coordination; another, research use; another, a time-bound disclosure to a delegate with an explicit no-redisclosure obligation. Each leaf has its own purpose, use, scope, duration, and conditions.

This model also serves as the bridge to the rest of the FAST stack. FAST Identity verifies who sits at each node in the tree. FAST Security enables trusted exchange between nodes. The FAST National Directory (NDH) helps participants discover the endpoints and organizations on each branch. FAST Consent governs the relationships and the permissions that flow between them.

Consider how this plays out for Maria. After a hospital stay, her care plan calls for in-home follow-up services, and Maria asks her spouse to help coordinate them. Through her health system, Maria grants her spouse limited access to her clinical information—a scoped consent that captures exactly which categories of data may be shared, for what purpose, and for how long. As part of an established care management arrangement between the two organizations, Maria’s health system shares that clinical information with her health plan, and the same patient-authorized scope governs how each organization treats the data.

Now Maria’s spouse opens a mobile app to help track her recovery. The app calls the health plan’s Patient Access API. The system identifies the requester as the spouse, recognizes that the underlying PHI belongs to Maria, the subscriber, and searches for a consent in which Maria is the grantor and her spouse is the grantee. It finds one—captured at the health system, propagated to the health plan, recognized everywhere in between. The consent’s provisions are enforced at response time: any PHI outside the scope that Maria authorized is filtered out before the data ever reaches the app. Maria never had to contact her health plan to repeat the consent ceremony. The provider organization captured her intent once. The network carried it. Every system enforced it. That is the power of a network-based approach to consent management.

The tree is what makes the difference between a static, organization-specific PDF and a composable, queryable, machine-readable graph. It is what allows FAST Consent to support delegation, multi-hop trust, and cross-network discoverability. And it is what drives the event-driven lifecycle—solicit, grant, update, revoke, audit—that lets every node react the moment the patient changes their mind.

From Static Snapshots to Living Consent: The Power of Event-Driven Workflows

Perhaps the most significant innovation in FAST Consent is the shift from static consent records to real-time, event-driven awareness.

Using FHIR Subscriptions, FAST defines Consent-specific notification topics that alert systems when key events occur:

  • A patient grants or updates their consent
  • Consent is revoked
  • A delegation is established or changed
  • Data is disclosed under an active consent

Return to Maria’s story for a moment. In a FAST-enabled world, when Maria updates her consent preferences through her patient portal, that change propagates immediately across every connected system. Her new primary care physician receives an alert. The data that was previously inaccessible is now available—in real time, with full auditability, and in alignment with exactly what Maria authorized.

Systems move from reactive consent validation to proactive consent orchestration. The difference, in practice, can be the difference between timely care and a missed diagnosis.

Putting the Patient Back in Control

At its core, FAST Consent is about one thing: making consent meaningful to the patient.

Too often, consent has been treated as a one-time administrative checkbox, a signature on a form that patients sign at check-in without fully understanding its implications. FAST Consent transforms consent into something active, transparent, and enforceable:

  • Consent preferences propagate from the originating EHR to every connected system through FHIR Subscriptions, so the patient’s authorization remains in force across each system that participates in downstream exchange
  • Delegation models—caregivers, guardians, family members—are consistently recognized and honored
  • Data access aligns directly with individual intent, not just institutional policy

For the Marias of the world, this is the difference between being a passive subject of the healthcare system and an empowered participant in their own care.

Reducing Burden Across the Ecosystem

Patient empowerment and operational efficiency are not competing goals—FAST Consent delivers both.

For Providers and Payers

  • Ambiguity in data sharing decisions is reduced, enabling automation in workflows such as prior authorization and care coordination
  • Compliance with evolving federal and state requirements becomes more consistent and auditable 

For Networks and HIEs

  • Cross-network consent discovery and enforcement become possible without costly point-to-point agreements
  • Duplication and fragmentation of consent management systems is significantly reduced 

For Regulators and Policymakers

  • A scalable framework aligned with CMS Aligned Networks and TEFCA is now within reach
  • Auditability and policy enforcement at national scale become operationally feasible

The Trust Stack: Identity, Security, and Consent Working Together

Consent alone cannot establish trust. It must operate in coordination with identity and security—and FAST addresses all three.

Layer

FAST Implementation Guide

What It Addresses

Who (Identity)

FAST Identity

How individuals and entities are identified; federated identity models; verified identity assertions

How (Security)

FAST Security

Trusted exchange mechanisms, certificate-based identity, UDAP, and dynamic client registration

What (Consent)

FAST Consent

What is permitted: authorization, delegation, and patient data sharing preferences

Together, these three implementation guides form a cohesive Trust Track—enabling end-to-end trust across networks, secure and policy-aligned workflows, and scalable interoperability aligned with CMS and national priorities.

Looking Ahead: Consent as Core Infrastructure

FAST Consent is scheduled for publication in June 2026 and represents a pivotal step toward operationalizing interoperability at a national scale.

As healthcare evolves toward a network-of-networks model—where data flows across TEFCA QHINs, CMS Aligned Networks, payer ecosystems, HIEs, and patient-facing apps—the ability to discover consent, respond to real-time changes, and consistently enforce patient preferences will be essential plumbing. Not a feature. Not an add-on. Infrastructure.

Picture Maria’s discharge in a FAST-enabled world. Instead of the binary choice she faced, the hospital offers her scoped consent. Maria grants her husband access to everything related to her current care—medications, the treatment plan, the home health visit notes, the conversations with the health plan—and excludes the sensitive history she has chosen to keep private. The hospital captures that scope once. The health plan recognizes this through the care management arrangement already in place between the two organizations. When her husband checks her medication schedule on a mobile app, the consent is enforced at response time, and he sees exactly what he needs. When he calls the health plan to ask why one therapy was authorized, and another was not, the representative can speak with him within the scope Maria authorized. When the home health nurse arrives, the clinical context her husband needs is available to him as well. The sensitive history stays exactly where Maria wants it—with her. The clinical care holds together. The emotional toll of binary consent is gone. That is what consent-as-infrastructure delivers.

For Maria, for her husband, and for the millions of patients and families whose care depends on trusted data sharing, that infrastructure cannot come soon enough.

Get Involved with FAST 

FAST welcomes participation from across the healthcare ecosystem—payers, providers, health IT vendors, HIEs, and policymakers. If you believe that trusted, patient-centered data sharing should be seamless, scalable, and secure, we want to hear from you.

Join us in building the future of healthcare interoperability.

Learn more at hl7.org/FAST

Be sure to follow the FAST LinkedIn page to stay up to date on where FAST is presenting and other timely news.

Topics: FHIR, CMS, FHIR Accelerator, FAST, FHIR Implementation Guides, FHIR Community, FAST Consent, CMS Aligned Networks Pledge

Janice Reese

Written by Janice Reese

Janice Reese is the program manager for HL7 FAST (FHIR at Scale Taskforce) FHIR Accelerator.

Lists by Topic

see all

Posts by Topic

see all

About HL7

Health Level Seven® International (HL7) is an ANSI-accredited, not-for-profit standards developing organization with the mission of empowering global health interoperability. With affiliates in over 30 countries, HL7’s global membership envisions a world in which everyone can securely access and use the right data when and where they need it. Widely implemented by vendor and healthcare systems, and required by governing bodies around the world, HL7 standards deliver solutions for health information technology, including HL7® Fast Healthcare Interoperability Resources (FHIR®), Version 2 (V2) and Clinical Document Architecture (CDA®).

Learn More

More Links

Contact Us

[fa icon="phone"]  +1 (734) 677-7777

[fa icon="envelope"]  HL7blog@HL7.org

[fa icon="linkedin-square"]Linkedin [fa icon="twitter-square"]X

® Health Level Seven, HL7, CDA, FHIR and the FHIR [FLAME DESIGN] are registered trademarks of Health Level Seven International, registered in the US Patent and Trademark Office.
Copyright 2026 | Designed with [fa icon="heart"] by HubSpot
[fa icon="chevron-up"]Back to top