Why Now Is the Time to Solve Consent Management in Healthcare

By Janice Reese, Senior Consultant, Program Manager of the FHIR at Scale Taskforce (FAST)

The ability for patients to control access to their sensitive health data is a cornerstone of trust in the modern healthcare system. Yet, consent management remains one of the most complex and fragmented challenges in healthcare information technology (health IT). Patients deserve confidence that their consent preferences are honored across the care continuum, enabling them to share, revoke or adjust access to their data at a detailed level. Achieving this requires a scalable, standardized approach. Now is the time for the healthcare industry to collaborate and address these barriers together.

The Complexity of Consent Management

Consent management in healthcare is fraught with challenges stemming from fragmented systems, regulatory hurdles and gaps in patient engagement. Healthcare data are often siloed across incompatible systems such as electronic health records (EHRs), payer platforms and third-party applications. The situation is further complicated by a patchwork of regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and 42 Code of Federal Regulations (CFR) Part 2. While some of these regulations support granular consent, most implementations remain at a broad opt-in/opt-out level, creating inconsistencies and compliance challenges.

Adding to these difficulties, patients increasingly expect healthcare to offer user-friendly consent tools like those in other industries. However, the lack of such tools, combined with workflow integration issues and resource constraints, puts additional pressure on providers and payers to improve consent management.

Managing Sensitive Data

Consent management becomes even more complex when addressing sensitive data categories that require additional privacy protections and permissions. The following are examples of areas requiring special consideration.

Behavioral Health Data: Governed by Substance Abuse and Mental Health Services Administration’s (SAMHSA’s) 42 CFR Part 2, which mandates explicit patient consent for sharing, State-level variations further complicate sharing across Medicaid organizations and multistate health information exchanges (HIEs).

Reproductive Health Data: State laws on privacy protections for reproductive health vary widely, especially following recent legislative changes in states like Idaho, Indiana, Kentucky and Louisiana which have implemented the most restrictive abortion laws.

HIV/AIDS Information: Many states require explicit consent for HIV/AIDS data sharing, often exceeding HIPAA requirements, complicating compliance for Medicaid managed care organizations and providers.

Adolescent Care: Rules on parental consent and minor autonomy differ significantly across states, particularly regarding mental health, reproductive health and substance use treatment.

The inability of simple opt-in/opt-out frameworks to account for these complexities highlights the need for adaptable systems. Effective consent management must address state-level variations, support nuanced patient preferences and maintain compliance while enabling interoperability across the healthcare system.

Drivers Shifting Consent Management to the Forefront

Consent management issues have grown in urgency over the past few years. In 2021, POCP contributed to a Stewards of Change Institute whitepaper entitled “Modernizing Consent to Support Health and Equity.” Even then, the whitepaper highlighted the fragmented state of consent management in American healthcare and human services, calling for standardized, technology-driven frameworks to improve interoperability, privacy and compliance across sectors. A change of this size requires critical drivers pushing stakeholders to prioritize investments needed to transform consent management infrastructure. While it may have been premature in 2021, pivotal elements seem to be converging to bring this work to the forefront. Let’s explore these drivers.

Policy and Regulatory Evolution

Several policies issued last year, including the Centers for Medicare and Medicaid Services’ (CMS) Interoperability and Prior Authorization final rule (CMS-0057-F), include components with requirements for patient consent. While policies are better coordinated than in the past, complexities and variances within them may incur challenges. For example, some parts require opt-in, some opt-out, while leaving the door open to more granular consent.

In addition to federal policy, a patchwork of state laws may not completely align with federal rules, further complicating the approach to consent. For example, many states mandate explicit patient consent for sharing HIV/AIDS-related data exceeding federal requirements, but the variances can also be found in adolescent health services and many other areas.

Another policy-based driver is the Trusted Exchange Framework and Common Agreement (TEFCA) going operational. As participants begin exchanging data and flexing the new framework, issues with consent management across organizations become more apparent.

Patient Empowerment

Patients are demanding greater control over their healthcare data and the federal health IT roadmap places patient empowerment high on the priority list. Traditional opt-in/opt-out models are not granular enough to meet patient expectations. They increasingly expect real-time tools to manage consent across systems and stakeholders, from individual providers to insurers and third-party applications. This shift requires a more dynamic and integrated approach to consent management that ties permissions to verifiable identities and provides patients a clearer understanding of the impacts of consent and their control over exceptions or restrictions.

Interoperability and Ecosystem Complexity

As the healthcare system expands, managing consent across interconnected systems grows more challenging:

• Health plans, providers and HIEs must navigate fragmented processes that lack interoperability. For example, organizations like the New York HIE are prioritizing consent management due to rising security risks and privacy breaches.
• TEFCA and similar frameworks encourage broader data sharing, but participating organizations often encounter gaps in aligning consent and identity management across jurisdictions and workflows.
• Security and privacy risks are on the rise and weak or inconsistent consent mechanisms leave organizations vulnerable to breaches. Ensuring data privacy and interoperability is crucial due to high-profile breaches that have been eroding trust in HIEs.

The Cost of Inaction

Healthcare organizations that deprioritize consent management risk falling behind in regulatory compliance, operational efficiency and patient satisfaction:

• Failing to implement consent frameworks that support granular data control and identity verification increases the likelihood of noncompliance with federal and state regulations.
• Organizations without dynamic consent tools may struggle to participate in interoperability initiatives like TEFCA, potentially losing out on partnerships and reimbursement opportunities.

These drivers are moving the healthcare industry to create a unified approach to consent management that supports patient empowerment, regulatory compliance and operational efficiency. The next section will explore collaborative efforts already underway and actionable steps to help your organization adapt.

Industry Collaborations Leading the Charge on Consent Management

Several initiatives are already laying groundwork for developing standards and frameworks that align identity, privacy and consent management across the healthcare system. These efforts are critical to creating scalable solutions that balance patient empowerment with operational and regulatory requirements.

FAST: Building Infrastructure for Consent

The FHIR at Scale Taskforce (FAST), a Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR) accelerator, plays a pivotal role in advancing interoperability by focusing on such foundational infrastructure components as security, identity and consent management. Recognizing that effective consent management relies on secure and federated identity verification, FAST is working to:

• Standardize Security, Identity and Consent Frameworks:
  • FAST already has mature, well-tested implementation guides (IGs) related to security and identity. Both focus areas are critical to consent management.
  • FAST is currently developing a consent IG outlining ways consent can be captured, updated and shared electronically in real time across organizational boundaries or jurisdictions. These frameworks enable granular consent management, allowing patients to designate specific data types and uses for sharing.
  • The FAST consent IG does not cover enforcement, an area the industry or policymakers will need to address.
• Enable System Connectivity: FAST solutions align with broader interoperability goals, including TEFCA and United States Core Data for Interoperability (USCDI+). This ensures that consent preferences are portable and consistently enforced across qualified health information networks (QHINs) and other stakeholders.
• Support Compliance and Security: By incorporating advanced technologies like encryption, tokenization and audit trails, FAST ensures data security while aligning with evolving regulatory frameworks such as HIPAA, TEFCA and the CMS Interoperability Rule.

FAST is essential for creating infrastructure that supports seamless consent management across systems, empowering patients to control their data while enabling providers and payers to honor those preferences securely and efficiently.

The Sequoia Project: Tackling Privacy and Consent Challenges

The Sequoia Project, a nonprofit organization dedicated to advancing health information exchange, has established its Privacy and Consent Workgroup to address the complexities of managing consent in today’s regulatory and technological environment. Key efforts include:

• Community of Practice: The workgroup facilitates collaboration among industry leaders, fostering exchange of best practices and lessons learned in privacy and consent management.
• Development of Computable Consent Models: By creating technical specifications for consent in machine-readable formats, the Sequoia Project is driving adoption of interoperable consent solutions that support both patient preferences and legal requirements.
• Recognized Coordinating Entity (RCE) for TEFCA: As the TEFCA RCE, the Sequoia Project is aligning privacy and consent management standards across HIEs, payers and providers to create a unified approach to sensitive data sharing.

A recently published a whitepaper, , outlines key challenges, evaluates existing solutions and provides a roadmap for advancing consent management in health IT. Stakeholders are encouraged to review the whitepaper and submit feedback by February 21st via the Sequoia Project’s feedback form: https://sequoiaproject.org/interoperability-matters/privacy-consent-workgroup-whitepaper-feedback/.

Bridging Gaps Between Initiatives

While initiatives like FAST and the Sequoia Project are advancing critical components of consent management, alignment and collaboration between these efforts are essential. For example:

• FAST’s work on identity and consent infrastructure provides the technical foundation needed to support operational frameworks being developed by the Sequoia Project.
• Regular touchpoints between FAST and the Sequoia Project help ensure technical solutions and policy guidance are harmonized, avoiding the pitfalls of fragmented development.

Further collaboration between these groups and other industry organizations is essential, and more stakeholders are needed to come to the table and share their perspectives on use cases and ideas for solutions.

Leveraging Standards, Open-Source Tools and Pilots to Advance Consent Management

Building a scalable and effective consent management framework is no longer a theoretical goal but a practical necessity. As the industry moves from simple opt-in/opt-out models to computable consent at a granular level, emerging standards, tools and pilot implementations offer a clear pathway forward. These solutions demonstrate how technology can support regulatory compliance, interoperability and patient empowerment.

Industry Standards Enabling Granular Consent

Key standards are transforming how the healthcare industry approaches consent management. The following are examples already in use supporting patients' ability to specify exceptions and restrictions when opting in or out of sharing their data.

• FHIR APIs: Use of FHIR APIs offers better support of granular consent management due to the ability to call and receive distinct pieces of codified data as well as bulk transactions. As mentioned earlier, FAST is currently building a consent IG.
• FHIR Consent Resource: HL7 created the FHIR consent resource which provides a standardized way to represent, manage and exchange consent electronically. Enabling machine-readable, computable consent supports granular controls, allowing patients to specify which data elements can be shared, with whom and under what conditions.
• Integrating the Healthcare Enterprise (IHE) Privacy Consent on FHIR (PCF): This emerging standard supports patient privacy consents and access control for FHIR-based document sharing HIEs, including profiling consent and OAuth access tokens. FAST’s consent IG acknowledges existing standards like FHIR Core and IHE PCF but identifies gaps in guidance for complex consent scenarios. By aligning with IHE profiles like PCF, FAST aims to improve scalability and interoperability in consent management.
• TEFCA: TEFCA is incorporating requirements for consent and interoperability for participants but has not yet been prescriptive about exact standards or protocols. TEFCA ensures that patient preferences are consistently honored across QHINs.
• NIST Guidelines: The National Institute of Standards and Technology (NIST) provides resources like SP 800-63 (digital identity guidelines) and SP 800-53 (security and privacy controls) to help organizations implement secure identity verification and privacy protections that align with consent requirements.

These standards provide the backbone for interoperable, patient-centered consent management systems.

Pilots and Implementations: Learning from Experience

Several initiatives provide valuable insights into how granular consent can work in real-world settings and inform further pilot activities:

• ASTP Leap Consent Project: This Assistant Secretary for Technology Policy (ASTP) initiative demonstrates use of the FHIR consent resource for computable consent in research and clinical contexts, showing how patient preferences could be encoded and enforced across systems.
• eHealth Exchange and CommonWell Health Alliance: These organizations are promoting interoperability and large-scale consent mechanisms, including pilots to test computable consent models in diverse healthcare settings.

Opt Out of Being Last to Market

Keeping pace with coming changes in consent management requires a proactive approach. Organizations can tackle their own challenges while driving industrywide progress by engaging with existing efforts and fostering collaboration.

Join Industry Initiatives

• Participate in FAST Public Calls or Join as a Member: Stay informed and contribute to FAST’s work on consent and identity standards.
• Join the Sequoia Project’s Privacy and Consent Workgroup: Engage with its Community of Practice, provide feedback on resources and contribute to computable consent development.

Engage in Testing and Pilots

• Connectathons: Test consent solutions in real-world scenarios through FHIR Connectathons and similar events.
• State, Regional or National Pilots: Collaborate on consent management pilots, particularly in states with complex privacy laws or federal pilots working across states.

Build Partnerships and Lead Change

• Partner and Advocate: Work with industry groups to align standards, address regulatory gaps and support policy updates.
• Map Workflows and Educate Teams: Audit internal processes, test new tools and ensure teams are trained on consent management best practices.

All aspects of the healthcare system revolve around patient care, and providing consent management options that meet patients’ expectations improves outcomes while bringing a real competitive advantage. Organizations can look to industry groups for guidance, collaborate with initiatives like FAST and the Sequoia Project and participate in pilots as vital steps toward developing scalable, patient-centered solutions. However, prioritizing resources and implementing these frameworks effectively requires a strategic approach.

Point-of-Care Partners (POCP) can help map your current consent workflows, define ideal processes and identify which implementation guides are ready to use versus still in development. We’ll help you prioritize efforts to make the biggest impact with limited resources.

Why wait to see how technology and regulations will change consent requirements? Contact POCP to start now.