How Do We Do Digital Consent Forms & Share As Claims W/Multiple Parties?

From IIW

How Do We Do Digital Consent Forms & Share as Claims with Multiple Parties (Healthcare)?

Day/Session:Tuesday 4G

Convener:Alan Viars

Notes-taker(s): Alan Viars

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The group started off talking about the problem of multiple consent forms and the common need for consent aggregation.  Participants included representative from Capital One and the Kantara Initiative.  The group suggested the term "consent form" is confusing and instead we should settle on the terminology "user permission" or "user stipulation".  

We discussed at length the Kantara Content Receipt Specification ( )  This specification results in an JWT that is a receipt for the user stipulation.  Immutability of the receipt is an option but not required by the specification.

It was pointed out that to copy with GDPR and forthcoming laws in California, a feed loop is needed.  A user must be able to select specific elements within the user permission dialogue. A user only needs to agree to the minimum necessary to achieve the action.  The systems can say "ok" or "sorry I cannot complete the transaction without X or Y".

We discussed the notion of typing/codifying different types of consents.  this is something that has been recognized in the Kantara Initiative as a need and is being worked on, but it is not yet a standard.

The group discussed different ways to handle the need for signatures and receipts.  One method is to simply state that the paper form with a signature is on file.  Another method is to store the signature within the consent receipt, although this results in a much larger JWT.

The group also discussed identity assurance.

We discussed the difficulties of managing identity for the homeless or those without email or a consistent mobile phone.   It was stated that often times in these cases, identity assurance is less important that consistent identity. We also discussed how identity assurance decays over time.  For example, when a person presents a utility bill to prove he or she lives at a particular address, this information may at some point in the future no longer be true.