terovesalainen - stock.adobe.com

Sequoia Project encourages automated patient consent to boost health data sharing

Through detailed use cases and guidance, The Sequoia Project is laying the groundwork for automated consent rather than the fragmented, manual consent mechanisms that the industry relies on today.

The Sequoia Project's privacy and consent workgroup has published guidance that aims to help healthcare organizations transition from manual patient consent processes to automated, computable consent systems. The guidance addresses the fragmented ways in which patient consent is currently managed and includes a suite of sample operational resource documents, model policies and workflow templates that stakeholders can use based on their organization's specific needs.

The Sequoia Project, which oversees TEFCA implementation, identified several chokepoints that have contributed to what it sees as a "widening gap between policy expectations for seamless data exchange and the operational realities of collecting, managing, and honoring patient consent."

The chokepoints include a "tangled web of federal and state consent rules that even seasoned compliance teams interpret differently," inconsistent consent forms across organizations and the tension between obtaining consent and avoiding information blocking.

The case for computable consent mechanisms

To alleviate these challenges, The Sequoia Project created this new guidance to help stakeholders transition from paper and other manual consent mechanisms to more automated processes.

The Sequoia Project defined "computable consent" as a machine-readable, standards-based representation of a person's privacy and data-sharing preferences that can be automatically enforced across all electronic systems.

The process of computable consent involves encoding a person's consent preferences in an interoperable format, such as the HL7 FHIR Consent Resource.

"When implemented properly, these directives generally can be executed automatically, without human interpretation or manual intervention," the guidance document stated. "However, realizing this level of automation requires more than technical capability; it demands coordinated organizational readiness. Therefore, implementing automated consent requires alignment across legal, technical, and governance domains."

Use case: Consent mechanisms under 42 CFR Part 2

The guidance noted that the volume of possible consent transactions is simply too high to address all in one guidance document. As such, the workgroup chose to focus on one high-impact use case: sharing substance use disorder information for treatment under the newly updated 42 CFR Part 2 final rule, which became enforceable in February 2026.

The final rule further aligned Part 2 rules with HIPAA. Provisions included permitting the use and disclosure of Part 2 records based on patient consent given once for all future uses and disclosures for treatment, payment and operations purposes and permitting the redisclosure of Part 2 records by HIPAA-covered entities and business associates as defined by the HIPAA Privacy Rule.

The Sequoia Project's guidance focused specifically on entities that are subject to Part 2 and are disclosing Part 2 records through a health information network to a HIPAA-covered entity that is not itself a Part 2 program.

"This scenario was selected because it represents a legally significant exchange pattern under the new rules to better align HIPAA and Part 2 requirements," the document stated. "It allows modeling of the end-to-end operational, legal, technical, and governance steps that must be in place before broader adoption across other consent contexts (e.g., payment, public health, or research) can occur."

Throughout the 52-page document, The Sequoia Project outlined how entities in this scenario could use automated consent to manage consent workflows, detailing the governance and oversight activities in the process.

Although much of the document focused on entities subject to Part 2, The Sequoia Project said it saw the document as "laying the foundation for operationalizing automated consent."

"Additional guidance and resources, including technical, will be needed to address other high-impact areas where legal standards and workflows differ," the organization acknowledged.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.

Dig Deeper on Health IT optimization