Managing patient privacy is increasingly complex. Secure sharing of health information among health care providers and for other legally permitted purposes can be delayed or complicated. These difficulties include overlapping and conflicting state and federal requirements for sensitive information, manual consent-verification processes, and the lack of standardized methods for recording and communicating patient preferences.
To bridge this operational gap, The Sequoia Project’s Interoperability Matters Privacy & Consent Workgroup (PCWG) convened experts to assess this landscape and develop initial informational guidance and example resources for organizations exploring automated, computable consent processes. The guidance focuses on the use case of sharing sensitive information related to substance use disorder (SUD) treatment, including records subject to 42 C.F.R. Part 2. The materials are intended to help organizations evaluate issues, design workflows, and identify consent elements that may need to be captured in structured form. They are not legal advice and do not guarantee compliance, interoperability, technical performance, implementation success, or any particular operational result.
Community feedback may inform whether and how additional use cases, examples, or refinements are developed over time.
Organizations considering automated or computable consent generally need to evaluate three (3) foundational areas with their internal teams and electronic health information exchange (EHI) partners:
Assessing whether and how data-segmentation technology (including HL7® FHIR® and other data-tagging approaches) can represent consent-related parameters and metadata in way that support authorized sharing of EHI.
Translating complex legal, policy, and operational requirements into automated consent-management workflows, and, where appropriate, rules engines or other technology-enabled processes within Electronic Health Records (EHRs), health information networks, or related systems. Such approaches may reduce the administrative and legal evaluation burden on frontline organizations.
Presenting consent options to individuals in clear, understandable ways and supporting processes that help organizations consider and apply documented patient choices clearly while protecting sensitive information supports patients.
The PCWG has augmented the core guidance with five (5) distinct appendices with example resources that organizations may review and adapt based on their own legal obligations, technical environment, governance processes, and risk tolerance. These appendices address federal and state-law analysis, consent data elements, organizational roles and responsibilities, workflows, and a sample policy document.
This matrix crosswalks consent components required under HIPAA and 42 CFR Part 2 (“Part 2”), and distinguishes among standard Part 2 consents, treatment, payment, and health care operations (TPO) consents, and intermediary consents. Each element, such as patient identification, purpose, expiration, and redisclosure notice, is assigned a unique Consent Element ID. These IDs serve as a reusable reference point for policy review, workflow design, and potential translation into data fields or system logic.
The State Law Template is intended to help organizations evaluate how state laws governing SUD treatment information and other sensitive health information may overlap with, or add to, federal requirements under Part 2 and HIPAA. For each consent element (e.g., who may disclose, who may receive, description of the information, purpose, expiration, signature, and requirement statements) and for each category of sensitive information, organizations can use the template to document relevant statutes, regulations, and additional steps. The template does not determine whether state law applies or whether a proposed consent process is sufficient but offers an approach for organizing and evaluating such standards.
This appendix provides a modular example Part 2 patient consent form for disclosures of Part 2 records for Treatment, Payment and Health Care Operations (TPO) purposes. It organizes each required consent element into labeled fields that may be used for paper-based processes or adapted into electronic or computable consent formats. The appendix may also help organizations identify whether a proposed automated consent approach can capture, store, and transmit relevant elements in a structured way, and in accordance with applicable law.
This appendix outlines individual tasks and suggested role assignments for operationalizing a computable consent workflow for the defined scenario: a Part 2 Program disclosing Part 2-protected information for treatment purposes to a non-Part 2 HIPAA-covered entity provider through a health information network (HIN). Organizations may use the workflow and RACI as a planning aid and adapt it to their governance, contracting, technical, and operational environment.
This appendix offers a sample structured framework that Part 2 Programs may consider when formalizing their internal governance for automated consent. It includes sample policy language, procedures for validating electronic consent forms, qualified services organization agreement (QSOA) alignment considerations, and key decision points for integrating automated consent into existing privacy and security programs.
This guidance is intended to provide a practical starting point for organizations evaluating how to operationalize automated or computable consent in the Part 2 context. The appendices offer sample approaches and reference materials that may support internal planning, policy development, workflow design, and technical requirement gathering.
As organizations adopt and adapt these tools to their own computable, automated consent processes, the PCWG hopes to collect feedback. Case studies from real-world implementation could be used to iterate on these tools, as well as informing the development of future guidance and tools. The entire community is encouraged to share feedback with The Sequoia Project and the PCWG. Real-world lessons may inform future refinements or additional guidance. The community is invited to participate in the ongoing dialogue to support responsible, privacy-preserving health information exchange and better serve patients.
This summary and the accompanying paper are provided for informational purposes only. Organizations should consult their own legal, compliance, privacy, security, and technical teams before using, adapting, or implementing any approach described in the materials. No warranty, guarantee, endorsement, certification, or promise of specific functionality, interoperability, compliance, or implementation outcome is made or implied.
We use cookies to improve user experience, and analyze website traffic. For these reasons, we may share your site usage data with our analytics partners. By clicking “Accept Cookies,” you consent to store on your device all the technologies described in our Cookie Policy. You can change your cookie settings at any time by clicking “Privacy Preferences.”
Complete the form below to access the Privacy and Consent Workgroup’s new resource.