T1.1: Implements Consent Policy Decisions

Knowledge Review - HealthShare UCR Implementation and Customization Specialist

1. Consent Policy Hierarchy

Key Points

  • Three-tier hierarchy: System-level, facility-level, and patient-level consent policies
  • Cascade behavior: Lower levels inherit from higher levels unless explicitly overridden
  • System-level: Establishes the federation-wide default consent posture
  • Facility-level: Overrides system defaults for a specific facility
  • Patient-level: Highest precedence, overrides both system and facility policies
  • Override direction: Patient > Facility > System (most specific wins)

Detailed Notes

Overview

HealthShare Unified Care Record uses a three-tier consent policy hierarchy to control access to patient data across the federation. This hierarchy ensures that organizations can define broad default policies while accommodating exceptions at the facility and individual patient levels. The hierarchy cascades downward, meaning that higher-level policies serve as defaults that can be overridden by more specific lower-level policies.

How Cascading Works

When a clinician attempts to access patient data, UCR evaluates consent policies starting from the most specific level: 1. If a patient-level consent policy exists, it is used regardless of facility or system settings 2. If no patient-level policy exists, the system checks for a facility-level policy 3. If no facility-level policy exists, the system-wide default applies 4. At each level, both MPI consent and clinical consent are evaluated independently

Practical Implications

  • A system-wide opt-out policy means all patients are visible by default across the federation
  • A facility override to opt-in for a behavioral health clinic restricts visibility for patients at that facility
  • A patient who explicitly consents to sharing overrides the facility-level restriction
  • Administrators must understand the effective consent at each level to troubleshoot access issues

Configuration Location

All consent policies are configured through the HealthShare Management Portal on the Registry (Hub) namespace. The consent management pages provide interfaces for creating and editing policies at each level of the hierarchy.

---

Documentation References

2. Configuring System-Level Consent

Key Points

  • Default consent mode: Choose between opt-in and opt-out at the system level
  • Opt-in: Patient data is restricted by default; explicit consent required to share
  • Opt-out: Patient data is shared by default; explicit action required to restrict
  • MPI and clinical: System-level consent configures both MPI visibility and clinical data access
  • Baseline posture: Determines behavior when no more specific consent exists

Detailed Notes

Overview

System-level consent is the broadest setting in the consent hierarchy and defines the default consent posture for the entire federation. This is the first consent decision an organization must make during UCR deployment, as it affects every patient and every facility unless overridden.

Opt-In vs Opt-Out

The fundamental system-level decision is the consent model:

  • Opt-in model: All patient data is restricted by default. No data is shared across the federation until explicit consent is obtained from the patient. This provides maximum privacy protection but requires robust consent collection workflows.
  • Opt-out model: All patient data is shared across the federation by default. Patients must actively request restrictions on their data. This enables immediate data sharing and supports care coordination but requires clear patient notification.

Configuring System-Level Consent

Configuration is performed through the Registry Management Portal:

  • Navigate to HealthShare > Registry Management > Consent Management
  • Configure MPI consent: choose the default MPI consent mode (opt-in or opt-out) to control whether patients appear in cross-facility searches by default
  • Configure clinical consent: choose the default clinical consent mode and optionally define default CIT restrictions
  • The system-level setting applies to all facilities and patients unless overridden

Regulatory Considerations

  • Some jurisdictions mandate opt-in for health information exchanges
  • HIPAA permits both models with appropriate safeguards
  • 42 CFR Part 2 requires explicit patient consent for substance abuse treatment records regardless of the system model

---

Documentation References

3. Facility and Patient Consent

Key Points

  • Facility overrides: Allow specific facilities to have different consent rules than the system default
  • Use cases: Behavioral health clinics, facilities in different regulatory jurisdictions
  • Patient consent records: Individual patient preferences that take highest precedence
  • General vs facility-specific: Patient consent can apply broadly or to a specific facility
  • Consent collection: Patient consent can be recorded manually or imported from external systems

Detailed Notes

Facility-Specific Consent

Facility-level consent overrides allow organizations to accommodate facilities with different privacy requirements:

  • A behavioral health facility may require opt-in consent even when the system default is opt-out
  • A facility in a state with stricter privacy laws can enforce tighter consent rules
  • Each facility override is linked to the facility's identifier in the system registry
  • Facility overrides can be set for MPI consent, clinical consent, or both independently

Creating Facility Consent Policies

To create a facility-level consent policy:

  • Navigate to Consent Management in the Registry Management Portal
  • Select the target facility from the facility registry
  • Define the MPI consent override (if different from system default)
  • Define the clinical consent override (if different from system default)
  • Specify any CIT-level restrictions specific to this facility

Patient-Level Consent Records

Patient-level consent provides the most granular control:

  • General patient consent: Applies to the patient across all facilities in the federation
  • Facility-specific patient consent: Applies only to the patient's data at a designated facility
  • Patient consent takes the highest precedence in the hierarchy
  • Can be recorded through the Management Portal, consent collection workflows, or XACML import

---

Documentation References

4. Consent Groups

Key Points

  • Purpose: Organize clinicians into groups that share common consent access permissions
  • Group creation: Defined in the Registry Management Portal under Consent Management
  • User assignment: Clinicians are assigned to one or more consent groups
  • Group-based access: Consent policies can grant or restrict access based on group membership
  • Hierarchical: Groups can be nested with parent-child inheritance

Detailed Notes

Overview

Consent groups are a mechanism for organizing clinicians into logical groupings that share common consent access permissions. Instead of defining consent rules for individual clinicians, administrators create groups and assign clinicians to them. Consent policies then reference these groups to determine who can access what data.

Creating Consent Groups

To create a consent group:

  • Navigate to HealthShare > Registry Management > Consent Management > Consent Groups
  • Click "Create New Group"
  • Provide a group name and description
  • Define the group's scope and purpose (e.g., "Emergency Department Staff", "Primary Care Physicians")
  • Optionally assign the group as a child of an existing parent group

Assigning Users to Consent Groups

Clinicians are assigned to consent groups through:

  • The Consent Group management interface in the Management Portal
  • Selecting individual clinicians from the clinician registry and adding them to groups
  • Bulk assignment using task-based workflows (see Section 8)
  • Integration with external identity management systems

How Consent Groups Affect Access

When a consent policy references a consent group:

  • Members of the group receive the access permissions defined in the policy
  • Non-members are not affected by the group-specific policy
  • A clinician can belong to multiple groups; all applicable group policies are evaluated
  • Group membership is checked at query time, so changes take effect immediately

Group Hierarchy

Consent groups support hierarchical organization:

  • A parent group can contain child groups
  • Child group members inherit the consent access of the parent group
  • Child groups can have additional or more restrictive consent rules
  • The hierarchy allows broad groups (e.g., "All Clinicians") with specialized subgroups (e.g., "Behavioral Health Clinicians")

---

Documentation References

5. Clinical Information Qualifiers and Rules

Key Points

  • Qualifiers: Attributes that add dimensions to consent decisions (role, purpose, time)
  • Information types: Categories of clinical data (diagnoses, labs, medications) used in consent rules
  • Rules engine: Evaluates qualifiers and information types to determine data visibility
  • CIT mapping: Clinical Information Types map to SDA streamlet categories
  • Rule priority: Rules are evaluated in priority order; first match determines the outcome

Detailed Notes

Clinical Information Qualifiers

Qualifiers refine consent decisions beyond simple allow/deny:

  • Role-based qualifiers: Consent varies based on the clinician's role (physician, nurse, admin)
  • Purpose-based qualifiers: Consent varies based on access purpose (treatment, payment, research)
  • Time-based qualifiers: Consent has effective date ranges and can expire automatically
  • Facility-based qualifiers: Consent further refined by the facility context of the request

Configuring Qualifiers

To configure clinical information qualifiers:

  • Navigate to Consent Management > Clinical Information Qualifiers
  • Create qualifier definitions specifying the qualifier type and valid values
  • Associate qualifiers with consent policies to add contextual conditions
  • Qualifiers are evaluated against the requesting clinician's attributes at query time

Clinical Information Types (CITs)

CITs categorize clinical data for granular consent control:

  • Each CIT represents a category of clinical information (e.g., Medications, Lab Results, Mental Health)
  • CITs are mapped to SDA streamlet types so the system knows which data belongs to which category
  • Consent policies can reference CITs to allow or deny specific categories independently
  • Common sensitive CITs include: Behavioral Health, Substance Abuse, HIV/AIDS, Reproductive Health

The Consent Rules Engine

The rules engine evaluates consent decisions dynamically: 1. Identify the clinical data being requested and its CIT classification 2. Retrieve applicable consent policies for the patient, facility, and system levels 3. Evaluate qualifiers against the requesting clinician's context 4. Apply rules in priority order; the first matching rule determines visibility 5. If no rule matches, the default consent behavior applies

Creating Consent Rules

To create a consent rule:

  • Navigate to Consent Management > Clinical Information Rules
  • Define the target CIT, conditions, action (show/hide), and priority
  • Associate the rule with the appropriate consent level
  • Test the rule with representative scenarios to verify expected behavior

---

Documentation References

6. Consent Options Configuration

Key Points

  • Consent options: Define the choices available when recording patient consent
  • Option types: Categorize consent options (e.g., share all, share partial, deny all)
  • Default options: Pre-selected consent choices applied when no explicit patient choice exists
  • Customizable: Organizations can define custom consent options matching their policies
  • User interface: Consent options appear in consent collection forms and management screens

Detailed Notes

Overview

Consent options define the set of choices available when recording a patient's consent preferences. They provide a structured way to capture patient consent decisions and map those decisions to the underlying consent policy framework.

Consent Option Types

UCR supports configurable consent option types:

  • Share All: Patient consents to sharing all clinical data across the federation
  • Share Partial: Patient consents to sharing some data categories but restricts others
  • Deny All: Patient denies sharing of all clinical data
  • Facility-Specific Share: Patient consents to sharing data from specific facilities only
  • Category-Specific: Patient consents or denies based on clinical information categories (CITs)

Configuring Consent Options

To configure consent options:

  • Navigate to HealthShare > Registry Management > Consent Management > Consent Options
  • Define the available consent option types for the organization
  • Configure which CITs each option type affects
  • Set the mapping between consent options and the underlying consent policy actions
  • Define the presentation order for consent collection forms

Default Consent Options

Default options determine what happens when no explicit patient consent has been recorded:

  • The default option aligns with the system-level consent model (opt-in or opt-out)
  • In opt-out mode, the default option is typically "Share All"
  • In opt-in mode, the default option is typically "Deny All"
  • Default options can be overridden at the facility level

Integration with Consent Collection

Consent options integrate with consent collection workflows:

  • Consent coordinators see the configured options when recording patient preferences
  • Patient portals can present consent options for self-service consent management
  • Imported consent documents are mapped to the configured consent option types
  • Audit trails record which consent option was selected and when

---

Documentation References

7. Break the Glass

Key Points

  • Purpose: Emergency access to patient data that would otherwise be restricted by consent
  • Trigger: Clinician declares an emergency need and overrides consent restrictions
  • Audit trail: All BTG events are logged with enhanced audit detail
  • Reason required: Clinician must provide a reason for the override
  • Configuration: BTG settings control who can trigger it, what data is accessible, and audit behavior

Detailed Notes

Overview

Break the Glass (BTG) is an emergency override mechanism that allows authorized clinicians to access patient data that is normally restricted by consent policies. BTG is essential for patient safety in emergency situations where consent cannot be obtained in time, but it must be carefully controlled and audited to prevent misuse.

When BTG Is Triggered

BTG is triggered when:

  • A clinician searches for a patient whose MPI consent denies visibility
  • A clinician attempts to view clinical data restricted by clinical consent or CIT rules
  • The system presents a BTG prompt instead of silently denying access
  • The clinician chooses to override the restriction by declaring an emergency

Configuring BTG Settings

BTG configuration includes:

  • Enabled/disabled: BTG can be enabled or disabled at the system level
  • Authorized roles: Define which clinician roles are permitted to invoke BTG
  • Required fields: Configure what information the clinician must provide (reason, patient relationship, emergency type)
  • Data scope: Define what data becomes accessible during a BTG event (all data, specific CITs, time-limited access)
  • Duration: Configure how long the BTG override remains active before the clinician must re-authenticate

Configuring BTG in the Management Portal

To configure BTG:

  • Navigate to HealthShare > Registry Management > Consent Management > Break the Glass
  • Enable or disable BTG for the federation
  • Define the authorized roles that can invoke BTG
  • Configure the required reason codes and free-text fields
  • Set the BTG duration and data scope parameters
  • Configure audit notification settings

Auditing BTG Events

BTG events generate enhanced audit records:

  • The clinician's identity, role, and location are recorded
  • The reason provided for the override is stored
  • The patient whose data was accessed is identified
  • The specific data viewed during the BTG session is logged
  • Audit records are flagged for review by compliance officers
  • Automated notifications can be sent to privacy officers when BTG is invoked

Best Practices

  • Regularly review BTG audit logs for potential misuse
  • Limit BTG to roles that genuinely need emergency access (e.g., emergency physicians)
  • Require meaningful reason codes rather than generic "emergency" selections
  • Implement post-hoc review processes with accountability for inappropriate BTG use
  • Test BTG scenarios during implementation to verify correct behavior

---

Documentation References

8. Managing Consent Groups with Tasks

Key Points

  • Task-based management: Perform bulk consent group operations through task workflows
  • Bulk assignment: Add or remove multiple clinicians from consent groups in a single operation
  • Scheduled tasks: Automate consent group updates on a schedule
  • Import integration: Tasks can process external files to update group membership
  • Audit compliance: Tasks generate audit records for all group membership changes

Detailed Notes

Overview

Managing consent groups individually through the Management Portal is practical for small numbers of clinicians, but organizations with large numbers of users need efficient bulk management capabilities. UCR provides task-based workflows that enable administrators to perform consent group operations at scale.

Task-Based Consent Group Operations

Available task operations include:

  • Bulk add to group: Add multiple clinicians to a consent group from a list or file
  • Bulk remove from group: Remove multiple clinicians from a consent group
  • Group transfer: Move clinicians from one group to another
  • Group synchronization: Synchronize group membership with an external directory or identity system
  • Group cleanup: Remove inactive or deactivated clinicians from groups

Creating and Running Tasks

To create a consent group management task:

  • Navigate to HealthShare > Registry Management > Tasks
  • Select the consent group task type
  • Configure the task parameters (target group, operation type, clinician list or source)
  • Optionally schedule the task for automatic execution
  • Run the task manually or wait for the scheduled execution

Bulk Operations and Scheduling

Tasks support file-based bulk operations and automation:

  • Upload CSV files containing clinician identifiers for bulk add/remove operations
  • Schedule recurring tasks to synchronize group membership with external systems
  • Automate group updates when new clinicians are registered or deactivated
  • All task-based changes are audited with the task identifier, administrator, and timestamp

---

Documentation References

Exam Preparation Summary

Critical Concepts to Master:

  1. Three-tier hierarchy: System > Facility > Patient, with patient-level taking highest precedence
  2. Opt-in vs opt-out: System-level decision that establishes the federation-wide default consent posture
  3. Consent groups: Organize clinicians for group-based consent access; support hierarchical nesting
  4. User assignment: Clinicians assigned to consent groups through the Management Portal or bulk tasks
  5. Clinical information qualifiers: Role, purpose, and time-based refinements to consent decisions
  6. CITs and rules: Categorize clinical data for granular consent; rules engine evaluates in priority order
  7. Consent options: Structured choices for recording patient consent preferences with configurable defaults
  8. Break the Glass: Emergency override with mandatory auditing, reason codes, and authorized role restrictions
  9. Task-based management: Bulk consent group operations through scheduled or on-demand task workflows

Common Exam Scenarios:

  • Determining effective consent when system, facility, and patient policies conflict
  • Choosing the correct consent model (opt-in/opt-out) for a regulatory scenario
  • Creating consent groups and assigning clinicians for department-based access
  • Configuring CITs for sensitive data categories and building consent rules
  • Setting up BTG with appropriate roles, reason codes, and audit settings
  • Using tasks to bulk-manage consent group membership for large organizations
  • Understanding which consent option type maps to which underlying policy behavior

Hands-On Practice Recommendations:

  • Create consent policies at all three levels and observe the cascade behavior
  • Build consent groups with parent-child hierarchy and verify inheritance
  • Configure CITs and consent rules, then test data visibility with different clinician roles
  • Set up BTG and walk through the emergency override workflow end-to-end
  • Create a task to bulk-assign clinicians to a consent group and verify audit records
  • Export and import consent policies between environments to understand migration workflows

Report an Issue