Computable Consent – From Regulatory, Legislative, and Organizational Policies to Security Policies

Computable Consent – From Regulatory, Legislative, and Organizational Policies to Security Policies
Conference paper
Zoran Milosevic, Frank Pyefinch
International Conference on Enterprise Design, Operations, and Computing, 28 September 2022; Italy
Abstract
Consumer-facing health applications are increasingly requiring flexible approaches for expressing consumer consent preferences for the use of their health data across multiple providers, and across cloud and on-premises systems. This and the recognition of the need for clear governance and legislative rules that specify enforceable policies over how consumer data is used by the nominated and other providers, including AI vendors, increasingly require machine readable, i.e. computable consent expressions. These expressions can be regarded as additional constraints over security policies, applicable to all stakeholders, while accommodating rules from regulatory and legislative policies. Support for both kind of policies contribute to improving consumer trust in the use of their data. This is applicable to both care delivery processes but also research projects, such as clinical trials. This paper proposes a computable consent framework and positions it in the context of the new developments within Health Level Seven (HL7®) Fast Health Interoperability Resources (FHIR®) standard. The proposal is based on the use of precise policy concepts from the ISO/ITU-T RM-ODP (Reference Model for Open Distributed Processing) standard. The aim is to provide general standards-based policy semantics guidance to interoperability/solution architects and implementers involved in digital health applications. The framework is driven by consent requirements, while leveraging broader policy input from medico-legal community.