Most discussion of consent in health information exchange assumes a coarse unit: a patient is either in the exchange or opted out; a document is either shareable or it is not. That model fit an era of document-based exchange reasonably well. As the industry shifts toward FHIR-based, element-level access — where a system can request a single lab result or one medication rather than a whole summary — consent becomes a genuinely harder problem. It is worth examining honestly rather than pretending the old model transfers cleanly.
The coarse model and its assumptions
Arizona’s statewide exchange, like many, operates on an opt-out model: records are available through the network by default, and patients may remove themselves entirely, change that decision, or opt out at the level of a particular provider. This works because the unit of decision is broad — participation, essentially yes or no, with a provider-level option. The patient does not have to reason about individual data elements.
What granular access disturbs
Element-level exchange invites finer-grained questions. If a system can request just the medication list, should consent be expressible at that granularity — share medications but not behavioral-health notes, for instance? Some categories of data already carry heightened legal protection, and granular query makes the enforcement of those protections both more important and more technically demanding. The question is no longer only “is this patient participating” but “is this specific data element, for this specific purpose, permitted to this specific requester.”
Why this is genuinely hard
There is no costless answer. Maximally granular consent — element by element, purpose by purpose — gives patients fine control but creates enormous complexity: it must be authored somewhere, stored somewhere, enforced consistently across every participating system, and kept current. Coarse consent is simpler and more reliably enforced but offers patients less nuance. Every real system lands somewhere on that spectrum, and the landing spot is a policy judgment, not a technical inevitability.
The honest position
It would be easy to claim that better standards “solve” consent. They do not. Standards like FHIR provide the mechanisms to express and enforce more granular consent, but they cannot decide how granular is appropriate, which categories deserve special handling, or how to balance patient control against the completeness clinicians need in an emergency. Those are choices that belong to a deliberative, multi-stakeholder process.
The convener’s role
This is precisely the kind of question a neutral table exists for — one where patients’ interests, clinicians’ needs, privacy law, and technical feasibility all have to be weighed together. AzHeC does not prescribe the answer; we host the conversation and keep it accurate. See our Network work area for how consent operates today and the Standards work area for the technical mechanisms involved.