FHIR Consent is a record of a patient's privacy directive, capturing their authorization or denial for the processing of their Protected Health Information (PHI). It formalizes the legal basis for data sharing, specifying the actor, purpose, and period of the permission, moving beyond simple binary opt-in/opt-out flags to granular, computable policies.
Glossary
FHIR Consent

What is FHIR Consent?
A FHIR resource that records a patient's agreement or refusal for the collection, access, use, or disclosure of their health information for specific purposes.
The resource models complex privacy rules by linking a patient to specific provision elements that define what data is covered, who can access it, and for what clinical or research purpose. It enforces terminology binding to codes like HIPAA purposes of use, enabling automated enforcement by a FHIR Server security layer to block unauthorized data access at the API level.
Key Features of the FHIR Consent Resource
The FHIR Consent resource is a record of a healthcare consumer's choices, which permits or denies identified recipients or roles to perform specific actions on their protected health information for defined purposes.
Scope and Granularity
The scope element defines the breadth of the consent. It distinguishes between high-level privacy directives (patient-privacy) and specific research authorizations (research). Granularity is achieved by scoping provisions to specific data classes (e.g., medication records) or time periods, enabling a patient to consent to the use of lab data but not psychotherapy notes.
Actor and Purpose Binding
Provisions bind specific actors (individuals, organizations, or roles) to permitted actions and purposes. An actor can be a named practitioner, a care team role, or an organization. The purpose element uses codes like TREAT (treatment), HPAYMT (payment), or HMARKT (marketing) to align with HIPAA and GDPR use cases, ensuring the reason for access is explicitly authorized.
Verification and Provenance
The verification element captures the process by which the consent was confirmed as authentic. It records whether the consent was verified with the patient or a representative, the verification date, and the verifying party. This is critical for legal admissibility and audit trails, distinguishing a signed directive from an unverified patient preference.
Consent State Machine
The status element drives a lifecycle state machine with values including:
- draft: The consent is being authored and is not yet active.
- active: The consent is in force and must be enforced.
- inactive: The consent is temporarily suspended.
- entered-in-error: The record was created accidentally and is invalid.
- rejected: The consent was refused by the patient.
Data Perimeter Control
The data element within a provision restricts the scope of information governed by the rule. It uses a FHIRPath expression to define a precise data perimeter, such as Observation.category = laboratory. This allows a single consent to apply a deny rule only to sensitive categories like genomic data or HIV-related results, while permitting access to the rest of the record.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to the most common technical and operational questions about the FHIR Consent resource, its implementation, and its role in privacy-compliant healthcare data exchange.
A FHIR Consent resource is a formal, computable record of a patient's or their authorized representative's agreement, refusal, or dissent regarding the collection, access, use, or disclosure of their Protected Health Information (PHI) for a specific purpose. It operates by defining a set of actors, actions, and constraints. The resource's core components include a patient reference, a scope (e.g., patient-privacy or research), and a category (e.g., OPTIN or OPTOUT). The provision element is the operational heart, specifying the actors authorized or denied, the specific data resources or clinical compartments affected, the allowed actions (like read or disclose), and the purpose of use (e.g., TREAT for treatment or HPAYMT for payment). This structured, machine-readable format allows security and privacy engines in a FHIR Server to automatically enforce patient-directed privacy policies at the API level, rather than relying on scanned paper forms.
Related Terms
Core resources and standards that interact with the FHIR Consent resource to enable privacy-compliant healthcare data exchange.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us