The Standard

Co-authored by Kevin Day, Consent Implementation Guide Co-Lead, FAST FHIR Accelerator

MEET MARIA

Maria is 62 and just home from the hospital after a procedure that requires careful follow-up. Her care team has discharged her with medications, recovery instructions, and a treatment plan her health plan put in place to manage cost. Her husband took time off work to help her recover at home—administering medications, watching for warning signs, coordinating with the visiting home health nurse, and calling the health plan when questions came up about coverage and the treatment plan.

There is one complication. Decades ago, before Maria met her husband, she received sensitive care she has chosen not to share with him; care that is in her medical record and always will be. So when the hospital asked Maria at discharge whether she wanted to grant her husband access to her clinical information, she faced a binary choice: all or nothing. There was no option to share the medications and care plan he needed while keeping the rest of her history private. The system doesn't support that nuance, so Maria selected nothing.

Her husband helps her recover with whatever Maria can tell him in the moment—what each pill is for, when the next appointment is, and what the home health nurse said. When he calls the health plan to ask why one therapy was authorized but another was not, he is told he is not on the consent and the conversation cannot continue. The clinical care suffers. So does the emotional care. Two weeks in, he is frustrated, and Maria is exhausted from carrying both her recovery and the running translation of her own chart.

Maria’s story is not unusual. Across the country, patients, providers, payers, and the family members who do the actual work of recovery face a quiet crisis hiding inside healthcare’s interoperability progress: the problem of consent.

The Hidden Roadblock: When Consent Doesn’t Scale

Healthcare interoperability has made remarkable strides. Data can now move faster, further, and more securely than ever before. Yet one foundational challenge continues to limit what that progress can achieve: how patient consent is captured, communicated, and enforced across organizations.

Today, consent is fragmented. A patient authorizes data sharing at one organization, but that authorization rarely travels with the data. In the context of data privacy and consent, a “policy” is the set of provisions that govern a specific grantor–grantee relationship—what may be disclosed, to whom, for what purpose, for how long, and under what conditions. Those provisions also drive enforcement decisions when consents conflict, such as when an additive permission from one source overlaps with a restriction from another. The operational burden of capturing them varies widely depending on the setting. In clinical environments, consent is typically tied to an encounter or event, such as a 30-minute office visit or a three-week inpatient stay, and expires when that event ends. Health plans, by contrast, capture consent that remains valid until a specified expiration date or until the patient revokes it. The result is a tangled consent relationship tree, where each branch—provider, payer, app, caregiver, personal representative—holds a different fragment of the patient’s intent, with different lifespans, scopes, and enforcement rules. Because no two systems interpret these provisions the same way, organizations fall back on manual review to reconcile conflicts, slowing workflows to a crawl at the exact moments when trust matters most. Compliance burden rises. Patients are left in the dark about how their information is used. And interoperability stalls precisely where it should accelerate.

This is the problem the HL7® FHIR® at Scale Taskforce (FAST) set out to solve.

How States Can Move From Fragmented Programs to Shared, Scalable Infrastructure Using FAST

The CMS Aligned Networks Pledge marks a clear inflection point in federal health IT policy. For the first time, Centers for Medicare & Medicaid Services (CMS) is not simply setting compliance requirements for individual programs—it is asking the healthcare ecosystem to operate as connected networks, capable of secure, real-time, standards-based data exchange across payers, providers, public health and patients.

For states, this shift is significant.

States are no longer just one participant among many. They are increasingly the anchor for trust, identity, consent and directory infrastructure that enable CMS-aligned networks to function at scale. Medicaid programs, state CIO offices and HIEs sit at the intersection of policy, operations and technology. The CMS Aligned Networks Pledge makes that role explicit.

This blog explains:

1. What the CMS Aligned Networks Pledge really changes for states
2. Why traditional, program-by-program approaches will not scale
3. How the  HL7® FHIR® at Scale Taskforce (FAST)  provides the infrastructure states can reuse across initiatives
4. How states can leverage existing systems and vendors without starting over

The CMS Aligned Networks Pledge: A Shift from Programs to Infrastructure

Historically, CMS initiatives have been implemented as discrete programs:

• A new reporting requirement
• A new API mandate
• A new exchange use case
• Trusted digital identity and patient matching
• Scalable security and partner onboarding
• Computable, portable consent
• Authoritative directories for endpoint discovery

The CMS Aligned Networks Pledge represents a different expectation.

CMS is signaling that future interoperability depends on shared infrastructure capabilities, including:

• Trusted digital identity and patient matching
• Scalable security and partner onboarding
• Computable, portable consent
• Authoritative directories for endpoint discovery

These are not features of a single application. They are ecosystem functions.

For states, this means success is no longer measured by whether a single system goes live, but by whether multiple programs can reuse the same trust and exchange foundations.