Consent Resource
FHIR’s Consent resource allows patients to control how their data is used and shared. ESUS uses consent records to gate access to PHI resources — the ABAC engine checks for an active Consent record before allowing practitioners to read or modify a patient’s sensitive data.
Create a Consent
curl -X POST https://api.esus.health/fhir/Consent \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/fhir+json" \
-d '{
"resourceType": "Consent",
"status": "active",
"scope": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/consentscope",
"code": "patient-privacy",
"display": "Privacy Consent"
}]
},
"category": [{
"coding": [{
"system": "http://loinc.org",
"code": "59284-0",
"display": "Consent Document"
}]
}],
"patientId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"dateTime": "2026-04-21",
"policy": [{
"uri": "https://esus.health/privacy-policy"
}],
"provision": {
"type": "permit",
"actor": [{
"role": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ParticipationType",
"code": "PRCP",
"display": "primary information recipient"
}]
},
"reference": {
"reference": "Practitioner/a7b1c2d3-e4f5-6789-abcd-ef0123456789"
}
}]
}
}'
Consent Status
| Status | Meaning |
|---|---|
proposed | Consent has been proposed, awaiting patient decision |
draft | Consent is being drafted |
active | Consent is in effect |
inactive | Consent has been suspended |
entered-in-error | Consent was recorded in error |
expired | Consent has passed its end date |
Research Consent (Opt-In)
curl -X POST https://api.esus.health/fhir/Consent \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/fhir+json" \
-d '{
"resourceType": "Consent",
"status": "active",
"scope": {
"coding": [{
"code": "research",
"display": "Research Consent"
}]
},
"category": [{
"coding": [{ "code": "RESEARCH" }]
}],
"patientId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"provision": {
"type": "permit",
"purpose": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "HRESCH",
"display": "Health Research"
}]
}
}'
Data Sharing Opt-Out
curl -X POST https://api.esus.health/fhir/Consent \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/fhir+json" \
-d '{
"resourceType": "Consent",
"status": "active",
"scope": {
"coding": [{ "code": "patient-privacy" }]
},
"patientId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"provision": {
"type": "deny",
"actor": [{
"reference": { "reference": "Organization/d4e5f6a7-b8c9-0123-def4-567890abcdef" }
}],
"action": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/consentaction",
"code": "disclose",
"display": "Disclose"
}]
}]
}
}'
Revoke Consent
To revoke an existing consent, update its status to inactive:
curl -X PUT https://api.esus.health/fhir/Consent/c1a2e3d4-5b6f-7890-abcd-ef1234567890 \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/fhir+json" \
-d '{
"resourceType": "Consent",
"id": "c1a2e3d4-5b6f-7890-abcd-ef1234567890",
"status": "inactive",
"scope": { "coding": [{ "code": "patient-privacy" }] },
"category": [{ "coding": [{ "code": "59284-0" }] }],
"patientId": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
}'
Query Consent Records
# Get all active consents for a patient
curl "https://api.esus.health/fhir/Consent?patient=Patient/3fa85f64-5717-4562-b3fc-2c963f66afa6&status=active" \
-H "Authorization: Bearer TOKEN"
# Get consents by category
curl "https://api.esus.health/fhir/Consent?category=59284-0" \
-H "Authorization: Bearer TOKEN"
How Consent Gates PHI Access
When a practitioner requests a PHI resource (e.g., GET /fhir/Observation/aa11bb22-cc33-dd44-ee55-ff6677889900), the ABAC engine:
- Verifies the practitioner has the
readpermission forObservation - Looks up the patient linked to that Observation
- Checks the
Consenttable for an active consent record permitting this practitioner (or their organization) access - If no active consent exists → returns
403 Forbiddenwith a FHIROperationOutcome
This check happens automatically — you do not need to implement it in your application.