New Sequoia Project guidance takes aim at state-level patient consent challenges

The Sequoia Project published two new documents exploring patient consent challenges and offering potential methods for aligning state and federal standards for sensitive health data.  

The publications are a follow-up to a whitepaper published in April 2025 by The Sequoia Project that outlined current challenges to collecting and managing patient consent in electronic health information exchange.  

"Taken together, these two guides are practical playbooks for industry and government to work independently and collaboratively to smooth the path to a -- hopefully very near -- future of automated and computable consent systems," Kevin Day, principal business advisor at Edifecs, and co-chair of The Sequoia Project's privacy and consent workgroup, stated in a press release. 

Bridging the gap between state and federal health data laws 

The Sequoia Project's newly published "Guidance to States: Legislating Technical Standard Definitions for Existing State-Sensitive Health Data Laws," which underwent an extensive public feedback period, stresses the need to align health data laws with national technical standards. 

As interoperability expands across the U.S., there is an increased need to ensure that privacy protections can keep pace without hindering interoperability, the privacy and consent workgroup suggested.  

"Indeed, there is broad and growing agreement across the health IT ecosystem that meeting this challenge requires technical standardization," the publication stated.  

"States, health care providers, health plans, health information networks/exchanges, electronic health record and other technology vendors, privacy advocates, and patient representatives increasingly recognize that without a common, computable way to identify sensitive health data, privacy protections cannot be applied consistently or reliably in digital and networked environments." 

The workgroup suggested that inconsistent data-sharing practices, varying degrees of privacy protections across state lines and differing implementation approaches across jurisdictions only create confusion. 

"Over-protection through blanket restrictions on an entire patient record can create a lose-lose scenario by increasing the risk of a privacy breach, since blocking access to harmless data may signal the presence of sensitive conditions elsewhere in the record, and reducing data sharing below the level the patient would ultimately prefer," the document continued. 

As such, the workgroup championed the development of automated systems that could apply each state's privacy rules and each individual's consent preferences "at a granular level." 

The workgroup aimed for this guidance document to serve as a foundation for creating a common technical language for what constitutes sensitive health data. This language would assign a category to sensitive health data, like a security label, that stays with that data when it is shared, enabling anyone who has it to understand its confidentiality. 

The guidance provided model language for sensitive health data definitions and urged states and other governmental bodies to collaborate and seek funding for infrastructure and technology to support implementation and ensure patient privacy is protected. 

As the patchwork of state and federal health data privacy laws continues to expand, lawmakers and industry leaders must consider how patient consent mechanisms and interoperability efforts will be impacted. 

Operationalizing automated consent 

The second publication, entitled "Operationalizing Automated Consent: Actionable Guidance for Health Care Providers, Payors, and Other Health Care Organizations," is still in the draft stage. Public comments are due to The Sequoia Project by March 13, 2026. 

The document provides health systems and payers with tools for collecting, managing and honoring patient consent in a computable manner that enables automated processing. 

The privacy and consent workgroup began the publication by identifying several chokepoints that contribute to the "widening gap" between policy expectations for seamless data exchange and the realities of managing patient consent. 

Those chokepoints included a patchwork of federal and state consent rules, divergent consent forms that necessitate each organization to invent its own language for consent, literacy hurdles and tension between obtaining consent and avoiding information blocking. 

In response to these hurdles, the workgroup proposed a set of tools, frameworks and use cases that stakeholders can consult to improve consent mechanisms.  

The document contains sample operational resource documents, model policies and workflow templates that support an ideal future state in which computable consent is the norm. The draft publication defined computable consent as a "machine-readable, standards-based representation of an individual's privacy and data-sharing preferences that can be automatically adjudicated and enforced across electronic systems." 

"When implemented properly, these directives generally can be executed automatically, without human interpretation or manual intervention," the draft publication continued. "However, realizing this level of automation requires more than technical capability; it demands coordinated organizational readiness. Therefore, implementing automated consent requires alignment across legal, technical, and governance domains." 

The two new publications from The Sequoia Project demonstrate the organization's clear intentions to modernize consent mechanisms while preserving privacy and enabling interoperability. 

The Sequoia Project said it plans to launch a broader roundtable of stakeholders to advance these efforts in the spring. 

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.