{"id":"357f1385-127c-4309-b7cf-b7991bc99251","task":"Enforce patient Consent resource policies for data sharing restrictions in a FHIR server","domain":"hl7.org/fhir/R4","steps":["Create Consent resources for each patient that define the scope of permitted data sharing, referencing the relevant policy (e.g., an organizational privacy notice) in Consent.policyRule","Implement a consent enforcement layer in the FHIR server's authorization pipeline that evaluates Consent.provision rules before returning resources","Model opt-out vs opt-in using Consent.provision.type (permit or deny) and scope resource types or data categories using provision.class or provision.code","When a query matches a denied provision, return an empty search result set or HTTP 403 rather than the actual resource, depending on policy","Audit consent decision outcomes in AuditEvent resources linked to the relevant Consent instance"],"gotchas":["FHIR Consent is a data model for expressing consent; it does not enforce itself — the enforcement logic must be implemented in the server middleware, not assumed to happen automatically","Consent.provision elements nest recursively; a top-level deny with a nested permit for a specific purpose is a valid pattern but requires careful traversal logic to evaluate correctly","Consent status must be 'active' for the provisions to apply; Consents in 'draft' or 'entered-in-error' status should not be enforced, but a server bug that enforces draft Consents can inadvertently block legitimate access"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/357f1385-127c-4309-b7cf-b7991bc99251"}