Basic Definition

Access policy communicates the limitations and/or requirements that define how a user may gain access to a particular set of data.

Access policy is limited to describing restrictions that respect the privacy and rights of the participants arising from consents, protocols, or other official documents. It should not be used to describe technical requirements for accessing data.

Access policy is defined using a standard set of codes, with one policy per set of codes that apply to a specified portion of the data. Each Access Policy element also includes a free text field that allows for further description of the policy and necessary steps for gaining access.

For Summary-only submissions, Access Policy elements should be included in order to describe the various data use limitations present in the dataset. For submissions which include data and/or participant records, Access Policy should be associated with the participants and data files to appropriately describe the applicable limitations.

Primary Profile Restrictions and Enhancements

• category must be assigned research.
• a meaningful description must be provided using the Access Policy Description extension.
• a provision.purpose must be defined for each distinct research constraint associated with this policy. These codes must be selected from the ValueSet representing the codes found in ResearchDataAccessCodes.
• For those policies that are disease specific, the code, DS, shall be used and must be accompanied by a properly defined Disease Use Limitation.

• Differential Table
• Key Elements Table
• Snapshot Table
• Statistics/References
• All

This structure is derived from Consent

Name	Flags	Card.	Type	Description & Constraints
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time completed-consent-code: If category is DS then there must be a ResearchConsentDiseaseAbbreviation
Slices for extension		1..*	Extension	Extension Slice: Unordered, Open by value:url
description		0..1	markdown	Descriptive text summarizing the policy restrictions and other details associated with this access provision. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
accessType		1..1	CodeableConcept	Type of access restrictions on file downloads ( open | registered | controlled ) URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type Binding: Research Data Access Type Codes (required)
website		0..1	url	URL describing the policy restrictions in detail. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
category		1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentcategorycodes
code		1..1	code	Symbol in syntax defined by the system Fixed Value: research
display		1..1	string	Representation defined by the system Fixed Value: Research Information Access
provision
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
diseaseUseLimitation		0..1	CodeableConcept	Consent Code Disease Abbreviation URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-disease-use-limitation Binding: MeSH Terms (example)
purpose		0..*	Coding	Context of activities covered by this rule Binding: Research Data Access Codes (extensible)
Documentation for this format

Terminology Bindings (Differential)

Path	Conformance	ValueSet	URI
Consent.provision.purpose	extensible	ResearchDataAccessCodeVS (a valid code from Research Data Access Codes) https://nih-ncpi.github.io/ncpi-fhir-ig-2/ValueSet/research-data-access-code-vs from this IG

Constraints

Id	Grade	Path(s)	Details	Requirements
completed-consent-code	error	Consent	If category is DS then there must be a ResearchConsentDiseaseAbbreviation : provision.purpose.where(code = 'DS').empty() or provision.extension.where(url='https://nih-ncpi.github.io/ncpi-fhir-ig/StructureDefinition/research-disease-use-limitation').exists()

Name	Flags	Card.	Type	Description & Constraints
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time ppc-1: Either a Policy or PolicyRule ppc-2: IF Scope=privacy, there must be a patient ppc-3: IF Scope=research, there must be a patient ppc-4: IF Scope=adr, there must be a patient ppc-5: IF Scope=treatment, there must be a patient completed-consent-code: If category is DS then there must be a ResearchConsentDiseaseAbbreviation
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
Slices for extension		1..*	Extension	Extension Slice: Unordered, Open by value:url
description		0..1	markdown	Descriptive text summarizing the policy restrictions and other details associated with this access provision. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
accessType		1..1	CodeableConcept	Type of access restrictions on file downloads ( open | registered | controlled ) URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type Binding: Research Data Access Type Codes (required)
website		0..1	url	URL describing the policy restrictions in detail. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
status	?!Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error Binding: ConsentState (required): Indicates the state of the consent.
scope	?!Σ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Binding: ConsentScopeCodes (extensible): The four anticipated uses for the Consent Resource.
category	Σ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Binding: ConsentCategoryCodes (extensible): A classification of the type of consents found in a consent statement. Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentcategorycodes
code		1..1	code	Symbol in syntax defined by the system Fixed Value: research
display		1..1	string	Representation defined by the system Fixed Value: Research Information Access
Documentation for this format

Terminology Bindings

Path	Conformance	ValueSet / Code	URI
Consent.status	required	ConsentState http://hl7.org/fhir/ValueSet/consent-state-codes|4.3.0 from the FHIR Standard
Consent.scope	extensible	ConsentScopeCodes http://hl7.org/fhir/ValueSet/consent-scope from the FHIR Standard
Consent.category	extensible	Pattern: research("Research Information Access") http://hl7.org/fhir/ValueSet/consent-category from the FHIR Standard

Constraints

Id	Grade	Path(s)	Details	Requirements
completed-consent-code	error	Consent	If category is DS then there must be a ResearchConsentDiseaseAbbreviation : provision.purpose.where(code = 'DS').empty() or provision.extension.where(url='https://nih-ncpi.github.io/ncpi-fhir-ig/StructureDefinition/research-disease-use-limitation').exists()
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources : contained.contained.empty()
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource : contained.where(((id.exists() and ('#'+id in (%resource.descendants().reference | %resource.descendants().as(canonical) | %resource.descendants().as(uri) | %resource.descendants().as(url)))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(uri) = '#').exists()).not()).trace('unmatched', id).empty()
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated : contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label : contained.meta.security.empty()
dom-6	best practice	Consent	A resource should have narrative for robust management : text.`div`.exists()
ele-1	error	**ALL** elements	All FHIR elements must have a @value or children : hasValue() or (children().count() > id.count())
ext-1	error	**ALL** extensions	Must have either extensions or value[x], not both : extension.exists() != value.exists()
ppc-1	error	Consent	Either a Policy or PolicyRule : policy.exists() or policyRule.exists()
ppc-2	error	Consent	IF Scope=privacy, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()
ppc-3	error	Consent	IF Scope=research, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='research').exists().not()
ppc-4	error	Consent	IF Scope=adr, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()
ppc-5	error	Consent	IF Scope=treatment, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()

Name	Flags	Card.	Type	Description & Constraints
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time ppc-1: Either a Policy or PolicyRule ppc-2: IF Scope=privacy, there must be a patient ppc-3: IF Scope=research, there must be a patient ppc-4: IF Scope=adr, there must be a patient ppc-5: IF Scope=treatment, there must be a patient completed-consent-code: If category is DS then there must be a ResearchConsentDiseaseAbbreviation
id	Σ	0..1	id	Logical id of this artifact
meta	Σ	0..1	Meta	Metadata about the resource
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
language		0..1	code	Language of the resource content Binding: CommonLanguages (preferred): IETF language tag Additional Bindings Purpose AllLanguages Max Binding
text		0..1	Narrative	Text summary of the resource, for human interpretation
contained		0..*	Resource	Contained, inline Resources dom-r4b: Containing new R4B resources within R4 resources may cause interoperability issues if instances are shared with R4 systems
Slices for extension		1..*	Extension	Extension Slice: Unordered, Open by value:url
description		0..1	markdown	Descriptive text summarizing the policy restrictions and other details associated with this access provision. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
accessType		1..1	CodeableConcept	Type of access restrictions on file downloads ( open | registered | controlled ) URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type Binding: Research Data Access Type Codes (required)
website		0..1	url	URL describing the policy restrictions in detail. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
identifier	Σ	0..*	Identifier	Identifier for this record (external references)
status	?!Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error Binding: ConsentState (required): Indicates the state of the consent.
scope	?!Σ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Binding: ConsentScopeCodes (extensible): The four anticipated uses for the Consent Resource.
category	Σ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Binding: ConsentCategoryCodes (extensible): A classification of the type of consents found in a consent statement. Required Pattern: At least the following
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentcategorycodes
version		0..1	string	Version of the system - if relevant
code		1..1	code	Symbol in syntax defined by the system Fixed Value: research
display		1..1	string	Representation defined by the system Fixed Value: Research Information Access
userSelected		0..1	boolean	If this coding was chosen directly by the user
text		0..1	string	Plain text representation of the concept
patient	Σ	0..1	Reference(Patient)	Who the consent applies to
dateTime	Σ	0..1	dateTime	When this Consent was created or indexed
performer	Σ	0..*	Reference(Organization | Patient | Practitioner | RelatedPerson | PractitionerRole)	Who is agreeing to the policy and rules
organization	Σ	0..*	Reference(Organization)	Custodian of the consent
source[x]	Σ	0..1		Source from which this consent is taken
sourceAttachment			Attachment
sourceReference			Reference(Consent | DocumentReference | Contract | QuestionnaireResponse)
policy		0..*	BackboneElement	Policies covered by this consent
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
authority	C	0..1	uri	Enforcement source for policy
uri	C	0..1	uri	Specific policy covered by this consent
policyRule	ΣC	0..1	CodeableConcept	Regulation that this consents to Binding: ConsentPolicyRuleCodes (extensible): Regulatory policy examples.
verification	Σ	0..*	BackboneElement	Consent Verified by patient or family
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
verified	Σ	1..1	boolean	Has been verified
verifiedWith		0..1	Reference(Patient | RelatedPerson)	Person who verified
verificationDate		0..1	dateTime	When consent verified
provision	Σ	0..1	BackboneElement	Constraints to the base Consent.policyRule
id		0..1	string	Unique id for inter-element referencing
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
diseaseUseLimitation		0..1	CodeableConcept	Consent Code Disease Abbreviation URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-disease-use-limitation Binding: MeSH Terms (example)
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type	Σ	0..1	code	deny | permit Binding: ConsentProvisionType (required): How a rule statement is applied, such as adding additional consent or removing consent.
period	Σ	0..1	Period	Timeframe for this rule
actor		0..*	BackboneElement	Who|what controlled by this rule (or group, by role)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
role		1..1	CodeableConcept	How the actor is involved Binding: SecurityRoleType (extensible): How an actor is involved in the consent considerations.
reference		1..1	Reference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole)	Resource for the actor (or group, by role)
action	Σ	0..*	CodeableConcept	Actions controlled by this rule Binding: ConsentActionCodes (example): Detailed codes for the consent action.
securityLabel	Σ	0..*	Coding	Security Labels that define affected resources Binding: All Security Labels (extensible): Security Labels from the Healthcare Privacy and Security Classification System.
purpose	Σ	0..*	Coding	Context of activities covered by this rule Binding: Research Data Access Codes (extensible)
class	Σ	0..*	Coding	e.g. Resource Type, Profile, CDA, etc. Binding: ConsentContentClass (extensible): The class (type) of information a consent rule covers.
code	Σ	0..*	CodeableConcept	e.g. LOINC or SNOMED CT code, etc. in the content Binding: ConsentContentCodes (example): If this code is found in an instance, then the exception applies.
dataPeriod	Σ	0..1	Period	Timeframe for data controlled by this rule
data	Σ	0..*	BackboneElement	Data controlled by this rule
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
meaning	Σ	1..1	code	instance | related | dependents | authoredby Binding: ConsentDataMeaning (required): How a resource reference is interpreted when testing consent restrictions.
reference	Σ	1..1	Reference(Resource)	The actual data reference
provision		0..*	See provision (Consent)	Nested Exception Rules
Documentation for this format

Terminology Bindings

Path	Conformance	ValueSet / Code	URI
Consent.language	preferred	CommonLanguages Additional Bindings Purpose AllLanguages Max Binding http://hl7.org/fhir/ValueSet/languages from the FHIR Standard
Consent.status	required	ConsentState http://hl7.org/fhir/ValueSet/consent-state-codes|4.3.0 from the FHIR Standard
Consent.scope	extensible	ConsentScopeCodes http://hl7.org/fhir/ValueSet/consent-scope from the FHIR Standard
Consent.category	extensible	Pattern: research("Research Information Access") http://hl7.org/fhir/ValueSet/consent-category from the FHIR Standard
Consent.policyRule	extensible	ConsentPolicyRuleCodes http://hl7.org/fhir/ValueSet/consent-policy from the FHIR Standard
Consent.provision.type	required	ConsentProvisionType http://hl7.org/fhir/ValueSet/consent-provision-type|4.3.0 from the FHIR Standard
Consent.provision.actor.role	extensible	SecurityRoleType http://hl7.org/fhir/ValueSet/security-role-type from the FHIR Standard
Consent.provision.action	example	ConsentActionCodes http://hl7.org/fhir/ValueSet/consent-action from the FHIR Standard
Consent.provision.securityLabel	extensible	All Security Labels http://hl7.org/fhir/ValueSet/security-labels from the FHIR Standard
Consent.provision.purpose	extensible	ResearchDataAccessCodeVS (a valid code from Research Data Access Codes) https://nih-ncpi.github.io/ncpi-fhir-ig-2/ValueSet/research-data-access-code-vs from this IG
Consent.provision.class	extensible	ConsentContentClass http://hl7.org/fhir/ValueSet/consent-content-class from the FHIR Standard
Consent.provision.code	example	ConsentContentCodes (a valid code from LOINC) http://hl7.org/fhir/ValueSet/consent-content-code from the FHIR Standard
Consent.provision.data.meaning	required	ConsentDataMeaning http://hl7.org/fhir/ValueSet/consent-data-meaning|4.3.0 from the FHIR Standard

Constraints

Id	Grade	Path(s)	Details	Requirements
completed-consent-code	error	Consent	If category is DS then there must be a ResearchConsentDiseaseAbbreviation : provision.purpose.where(code = 'DS').empty() or provision.extension.where(url='https://nih-ncpi.github.io/ncpi-fhir-ig/StructureDefinition/research-disease-use-limitation').exists()
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources : contained.contained.empty()
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource : contained.where(((id.exists() and ('#'+id in (%resource.descendants().reference | %resource.descendants().as(canonical) | %resource.descendants().as(uri) | %resource.descendants().as(url)))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(uri) = '#').exists()).not()).trace('unmatched', id).empty()
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated : contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label : contained.meta.security.empty()
dom-6	best practice	Consent	A resource should have narrative for robust management : text.`div`.exists()
dom-r4b	warning	Consent.contained	Containing new R4B resources within R4 resources may cause interoperability issues if instances are shared with R4 systems : ($this is Citation or $this is Evidence or $this is EvidenceReport or $this is EvidenceVariable or $this is MedicinalProductDefinition or $this is PackagedProductDefinition or $this is AdministrableProductDefinition or $this is Ingredient or $this is ClinicalUseDefinition or $this is RegulatedAuthorization or $this is SubstanceDefinition or $this is SubscriptionStatus or $this is SubscriptionTopic) implies (%resource is Citation or %resource is Evidence or %resource is EvidenceReport or %resource is EvidenceVariable or %resource is MedicinalProductDefinition or %resource is PackagedProductDefinition or %resource is AdministrableProductDefinition or %resource is Ingredient or %resource is ClinicalUseDefinition or %resource is RegulatedAuthorization or %resource is SubstanceDefinition or %resource is SubscriptionStatus or %resource is SubscriptionTopic)
ele-1	error	**ALL** elements	All FHIR elements must have a @value or children : hasValue() or (children().count() > id.count())
ext-1	error	**ALL** extensions	Must have either extensions or value[x], not both : extension.exists() != value.exists()
ppc-1	error	Consent	Either a Policy or PolicyRule : policy.exists() or policyRule.exists()
ppc-2	error	Consent	IF Scope=privacy, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()
ppc-3	error	Consent	IF Scope=research, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='research').exists().not()
ppc-4	error	Consent	IF Scope=adr, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()
ppc-5	error	Consent	IF Scope=treatment, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()

Differential View

This structure is derived from Consent

Name	Flags	Card.	Type	Description & Constraints
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time completed-consent-code: If category is DS then there must be a ResearchConsentDiseaseAbbreviation
Slices for extension		1..*	Extension	Extension Slice: Unordered, Open by value:url
description		0..1	markdown	Descriptive text summarizing the policy restrictions and other details associated with this access provision. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
accessType		1..1	CodeableConcept	Type of access restrictions on file downloads ( open | registered | controlled ) URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type Binding: Research Data Access Type Codes (required)
website		0..1	url	URL describing the policy restrictions in detail. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
category		1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentcategorycodes
code		1..1	code	Symbol in syntax defined by the system Fixed Value: research
display		1..1	string	Representation defined by the system Fixed Value: Research Information Access
provision
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
diseaseUseLimitation		0..1	CodeableConcept	Consent Code Disease Abbreviation URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-disease-use-limitation Binding: MeSH Terms (example)
purpose		0..*	Coding	Context of activities covered by this rule Binding: Research Data Access Codes (extensible)
Documentation for this format

Terminology Bindings (Differential)

Path	Conformance	ValueSet	URI
Consent.provision.purpose	extensible	ResearchDataAccessCodeVS (a valid code from Research Data Access Codes) https://nih-ncpi.github.io/ncpi-fhir-ig-2/ValueSet/research-data-access-code-vs from this IG

Constraints

Id	Grade	Path(s)	Details	Requirements
completed-consent-code	error	Consent	If category is DS then there must be a ResearchConsentDiseaseAbbreviation : provision.purpose.where(code = 'DS').empty() or provision.extension.where(url='https://nih-ncpi.github.io/ncpi-fhir-ig/StructureDefinition/research-disease-use-limitation').exists()

Key Elements View

Name	Flags	Card.	Type	Description & Constraints
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time ppc-1: Either a Policy or PolicyRule ppc-2: IF Scope=privacy, there must be a patient ppc-3: IF Scope=research, there must be a patient ppc-4: IF Scope=adr, there must be a patient ppc-5: IF Scope=treatment, there must be a patient completed-consent-code: If category is DS then there must be a ResearchConsentDiseaseAbbreviation
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
Slices for extension		1..*	Extension	Extension Slice: Unordered, Open by value:url
description		0..1	markdown	Descriptive text summarizing the policy restrictions and other details associated with this access provision. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
accessType		1..1	CodeableConcept	Type of access restrictions on file downloads ( open | registered | controlled ) URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type Binding: Research Data Access Type Codes (required)
website		0..1	url	URL describing the policy restrictions in detail. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
status	?!Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error Binding: ConsentState (required): Indicates the state of the consent.
scope	?!Σ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Binding: ConsentScopeCodes (extensible): The four anticipated uses for the Consent Resource.
category	Σ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Binding: ConsentCategoryCodes (extensible): A classification of the type of consents found in a consent statement. Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentcategorycodes
code		1..1	code	Symbol in syntax defined by the system Fixed Value: research
display		1..1	string	Representation defined by the system Fixed Value: Research Information Access
Documentation for this format

Terminology Bindings

Path	Conformance	ValueSet / Code	URI
Consent.status	required	ConsentState http://hl7.org/fhir/ValueSet/consent-state-codes|4.3.0 from the FHIR Standard
Consent.scope	extensible	ConsentScopeCodes http://hl7.org/fhir/ValueSet/consent-scope from the FHIR Standard
Consent.category	extensible	Pattern: research("Research Information Access") http://hl7.org/fhir/ValueSet/consent-category from the FHIR Standard

Constraints

Id	Grade	Path(s)	Details	Requirements
completed-consent-code	error	Consent	If category is DS then there must be a ResearchConsentDiseaseAbbreviation : provision.purpose.where(code = 'DS').empty() or provision.extension.where(url='https://nih-ncpi.github.io/ncpi-fhir-ig/StructureDefinition/research-disease-use-limitation').exists()
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources : contained.contained.empty()
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource : contained.where(((id.exists() and ('#'+id in (%resource.descendants().reference | %resource.descendants().as(canonical) | %resource.descendants().as(uri) | %resource.descendants().as(url)))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(uri) = '#').exists()).not()).trace('unmatched', id).empty()
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated : contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label : contained.meta.security.empty()
dom-6	best practice	Consent	A resource should have narrative for robust management : text.`div`.exists()
ele-1	error	**ALL** elements	All FHIR elements must have a @value or children : hasValue() or (children().count() > id.count())
ext-1	error	**ALL** extensions	Must have either extensions or value[x], not both : extension.exists() != value.exists()
ppc-1	error	Consent	Either a Policy or PolicyRule : policy.exists() or policyRule.exists()
ppc-2	error	Consent	IF Scope=privacy, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()
ppc-3	error	Consent	IF Scope=research, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='research').exists().not()
ppc-4	error	Consent	IF Scope=adr, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()
ppc-5	error	Consent	IF Scope=treatment, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()

Snapshot View

Name	Flags	Card.	Type	Description & Constraints
Consent	C	0..*	Consent	A healthcare consumer's choices to permit or deny recipients or roles to perform actions for specific purposes and periods of time ppc-1: Either a Policy or PolicyRule ppc-2: IF Scope=privacy, there must be a patient ppc-3: IF Scope=research, there must be a patient ppc-4: IF Scope=adr, there must be a patient ppc-5: IF Scope=treatment, there must be a patient completed-consent-code: If category is DS then there must be a ResearchConsentDiseaseAbbreviation
id	Σ	0..1	id	Logical id of this artifact
meta	Σ	0..1	Meta	Metadata about the resource
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
language		0..1	code	Language of the resource content Binding: CommonLanguages (preferred): IETF language tag Additional Bindings Purpose AllLanguages Max Binding
text		0..1	Narrative	Text summary of the resource, for human interpretation
contained		0..*	Resource	Contained, inline Resources dom-r4b: Containing new R4B resources within R4 resources may cause interoperability issues if instances are shared with R4 systems
Slices for extension		1..*	Extension	Extension Slice: Unordered, Open by value:url
description		0..1	markdown	Descriptive text summarizing the policy restrictions and other details associated with this access provision. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
accessType		1..1	CodeableConcept	Type of access restrictions on file downloads ( open | registered | controlled ) URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type Binding: Research Data Access Type Codes (required)
website		0..1	url	URL describing the policy restrictions in detail. URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
identifier	Σ	0..*	Identifier	Identifier for this record (external references)
status	?!Σ	1..1	code	draft | proposed | active | rejected | inactive | entered-in-error Binding: ConsentState (required): Indicates the state of the consent.
scope	?!Σ	1..1	CodeableConcept	Which of the four areas this resource covers (extensible) Binding: ConsentScopeCodes (extensible): The four anticipated uses for the Consent Resource.
category	Σ	1..*	CodeableConcept	Classification of the consent statement - for indexing/retrieval Binding: ConsentCategoryCodes (extensible): A classification of the type of consents found in a consent statement. Required Pattern: At least the following
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/consentcategorycodes
version		0..1	string	Version of the system - if relevant
code		1..1	code	Symbol in syntax defined by the system Fixed Value: research
display		1..1	string	Representation defined by the system Fixed Value: Research Information Access
userSelected		0..1	boolean	If this coding was chosen directly by the user
text		0..1	string	Plain text representation of the concept
patient	Σ	0..1	Reference(Patient)	Who the consent applies to
dateTime	Σ	0..1	dateTime	When this Consent was created or indexed
performer	Σ	0..*	Reference(Organization | Patient | Practitioner | RelatedPerson | PractitionerRole)	Who is agreeing to the policy and rules
organization	Σ	0..*	Reference(Organization)	Custodian of the consent
source[x]	Σ	0..1		Source from which this consent is taken
sourceAttachment			Attachment
sourceReference			Reference(Consent | DocumentReference | Contract | QuestionnaireResponse)
policy		0..*	BackboneElement	Policies covered by this consent
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
authority	C	0..1	uri	Enforcement source for policy
uri	C	0..1	uri	Specific policy covered by this consent
policyRule	ΣC	0..1	CodeableConcept	Regulation that this consents to Binding: ConsentPolicyRuleCodes (extensible): Regulatory policy examples.
verification	Σ	0..*	BackboneElement	Consent Verified by patient or family
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
verified	Σ	1..1	boolean	Has been verified
verifiedWith		0..1	Reference(Patient | RelatedPerson)	Person who verified
verificationDate		0..1	dateTime	When consent verified
provision	Σ	0..1	BackboneElement	Constraints to the base Consent.policyRule
id		0..1	string	Unique id for inter-element referencing
Slices for extension		0..*	Extension	Extension Slice: Unordered, Open by value:url
diseaseUseLimitation		0..1	CodeableConcept	Consent Code Disease Abbreviation URL: https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-disease-use-limitation Binding: MeSH Terms (example)
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type	Σ	0..1	code	deny | permit Binding: ConsentProvisionType (required): How a rule statement is applied, such as adding additional consent or removing consent.
period	Σ	0..1	Period	Timeframe for this rule
actor		0..*	BackboneElement	Who|what controlled by this rule (or group, by role)
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
role		1..1	CodeableConcept	How the actor is involved Binding: SecurityRoleType (extensible): How an actor is involved in the consent considerations.
reference		1..1	Reference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole)	Resource for the actor (or group, by role)
action	Σ	0..*	CodeableConcept	Actions controlled by this rule Binding: ConsentActionCodes (example): Detailed codes for the consent action.
securityLabel	Σ	0..*	Coding	Security Labels that define affected resources Binding: All Security Labels (extensible): Security Labels from the Healthcare Privacy and Security Classification System.
purpose	Σ	0..*	Coding	Context of activities covered by this rule Binding: Research Data Access Codes (extensible)
class	Σ	0..*	Coding	e.g. Resource Type, Profile, CDA, etc. Binding: ConsentContentClass (extensible): The class (type) of information a consent rule covers.
code	Σ	0..*	CodeableConcept	e.g. LOINC or SNOMED CT code, etc. in the content Binding: ConsentContentCodes (example): If this code is found in an instance, then the exception applies.
dataPeriod	Σ	0..1	Period	Timeframe for data controlled by this rule
data	Σ	0..*	BackboneElement	Data controlled by this rule
id		0..1	string	Unique id for inter-element referencing
extension		0..*	Extension	Additional content defined by implementations
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
meaning	Σ	1..1	code	instance | related | dependents | authoredby Binding: ConsentDataMeaning (required): How a resource reference is interpreted when testing consent restrictions.
reference	Σ	1..1	Reference(Resource)	The actual data reference
provision		0..*	See provision (Consent)	Nested Exception Rules
Documentation for this format

Terminology Bindings

Path	Conformance	ValueSet / Code	URI
Consent.language	preferred	CommonLanguages Additional Bindings Purpose AllLanguages Max Binding http://hl7.org/fhir/ValueSet/languages from the FHIR Standard
Consent.status	required	ConsentState http://hl7.org/fhir/ValueSet/consent-state-codes|4.3.0 from the FHIR Standard
Consent.scope	extensible	ConsentScopeCodes http://hl7.org/fhir/ValueSet/consent-scope from the FHIR Standard
Consent.category	extensible	Pattern: research("Research Information Access") http://hl7.org/fhir/ValueSet/consent-category from the FHIR Standard
Consent.policyRule	extensible	ConsentPolicyRuleCodes http://hl7.org/fhir/ValueSet/consent-policy from the FHIR Standard
Consent.provision.type	required	ConsentProvisionType http://hl7.org/fhir/ValueSet/consent-provision-type|4.3.0 from the FHIR Standard
Consent.provision.actor.role	extensible	SecurityRoleType http://hl7.org/fhir/ValueSet/security-role-type from the FHIR Standard
Consent.provision.action	example	ConsentActionCodes http://hl7.org/fhir/ValueSet/consent-action from the FHIR Standard
Consent.provision.securityLabel	extensible	All Security Labels http://hl7.org/fhir/ValueSet/security-labels from the FHIR Standard
Consent.provision.purpose	extensible	ResearchDataAccessCodeVS (a valid code from Research Data Access Codes) https://nih-ncpi.github.io/ncpi-fhir-ig-2/ValueSet/research-data-access-code-vs from this IG
Consent.provision.class	extensible	ConsentContentClass http://hl7.org/fhir/ValueSet/consent-content-class from the FHIR Standard
Consent.provision.code	example	ConsentContentCodes (a valid code from LOINC) http://hl7.org/fhir/ValueSet/consent-content-code from the FHIR Standard
Consent.provision.data.meaning	required	ConsentDataMeaning http://hl7.org/fhir/ValueSet/consent-data-meaning|4.3.0 from the FHIR Standard

Constraints

Id	Grade	Path(s)	Details	Requirements
completed-consent-code	error	Consent	If category is DS then there must be a ResearchConsentDiseaseAbbreviation : provision.purpose.where(code = 'DS').empty() or provision.extension.where(url='https://nih-ncpi.github.io/ncpi-fhir-ig/StructureDefinition/research-disease-use-limitation').exists()
dom-2	error	Consent	If the resource is contained in another resource, it SHALL NOT contain nested Resources : contained.contained.empty()
dom-3	error	Consent	If the resource is contained in another resource, it SHALL be referred to from elsewhere in the resource or SHALL refer to the containing resource : contained.where(((id.exists() and ('#'+id in (%resource.descendants().reference | %resource.descendants().as(canonical) | %resource.descendants().as(uri) | %resource.descendants().as(url)))) or descendants().where(reference = '#').exists() or descendants().where(as(canonical) = '#').exists() or descendants().where(as(uri) = '#').exists()).not()).trace('unmatched', id).empty()
dom-4	error	Consent	If a resource is contained in another resource, it SHALL NOT have a meta.versionId or a meta.lastUpdated : contained.meta.versionId.empty() and contained.meta.lastUpdated.empty()
dom-5	error	Consent	If a resource is contained in another resource, it SHALL NOT have a security label : contained.meta.security.empty()
dom-6	best practice	Consent	A resource should have narrative for robust management : text.`div`.exists()
dom-r4b	warning	Consent.contained	Containing new R4B resources within R4 resources may cause interoperability issues if instances are shared with R4 systems : ($this is Citation or $this is Evidence or $this is EvidenceReport or $this is EvidenceVariable or $this is MedicinalProductDefinition or $this is PackagedProductDefinition or $this is AdministrableProductDefinition or $this is Ingredient or $this is ClinicalUseDefinition or $this is RegulatedAuthorization or $this is SubstanceDefinition or $this is SubscriptionStatus or $this is SubscriptionTopic) implies (%resource is Citation or %resource is Evidence or %resource is EvidenceReport or %resource is EvidenceVariable or %resource is MedicinalProductDefinition or %resource is PackagedProductDefinition or %resource is AdministrableProductDefinition or %resource is Ingredient or %resource is ClinicalUseDefinition or %resource is RegulatedAuthorization or %resource is SubstanceDefinition or %resource is SubscriptionStatus or %resource is SubscriptionTopic)
ele-1	error	**ALL** elements	All FHIR elements must have a @value or children : hasValue() or (children().count() > id.count())
ext-1	error	**ALL** extensions	Must have either extensions or value[x], not both : extension.exists() != value.exists()
ppc-1	error	Consent	Either a Policy or PolicyRule : policy.exists() or policyRule.exists()
ppc-2	error	Consent	IF Scope=privacy, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='patient-privacy').exists().not()
ppc-3	error	Consent	IF Scope=research, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='research').exists().not()
ppc-4	error	Consent	IF Scope=adr, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='adr').exists().not()
ppc-5	error	Consent	IF Scope=treatment, there must be a patient : patient.exists() or scope.coding.where(system='something' and code='treatment').exists().not()

This structure is derived from Consent

Summary

Mandatory: 2 elements

Extensions

This structure refers to these extensions:

• https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-policy-description
• https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/access-type
• https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-web-Link
• https://nih-ncpi.github.io/ncpi-fhir-ig-2/StructureDefinition/research-disease-use-limitation

While the standard FHIR R4 Consent is intended to be directly associated with a particular patient, given the nature of research access control policies, this profile is intended to be instantiated once and associated with a number of patients (TBD).