Storing Consent Artefacts

Health Information Users (HIUs) need to be notified on the Users’ consent, both when the user grants or revokes consent, or for an expired consent.

A consent can have different forms:

  1. Grant Consent
  • This is when the user grants consent to the HIU to access the health records or health information.
  1. Revoke Consent
  • This is when the user revokes an earlier granted consent from the user, wherein they want to discontinue sharing their health records or heeath information.
  • The HIUs have to mandatorily get rid of the health records & information for the users for whose consents have been revoked, to stay ABDM compliant.
  1. Expired Consent
  • This is when a granted consent expires.
  • The HIUs have to mandatorily get rid of the health records & information for the users for whose consents expire, to stay ABDM compliant.

The following diagram explains the patient consent notification flow ofrom CM to HIU:

%%{init:{"fontSize": "1.0rem", "sequence":{"showSequenceNumbers":true}}}%% sequenceDiagram title Consent Notification from CM to HIU Gateway->>Repository:POST/consents/hiu/notify activate Repository Repository-->>HIU System:Notification note left of Repository: Optional Step: When notifying about <br/> consent being revoked, paused or expired Repository->>Gateway:POST/consents/hiu/on-notify deactivate Repository
  • Once the patient grants consent to the HIU, the HIE-CM notifies the HIU system of the consent grant via the gateway.
  • If the patient grants for multiple HIPs, then multiple consent artefacts are generated - one for each HIP.
  • The HIU now first fetches all the consent-artefacts that were generated for his request.

Sample User Experience

Img a

Img a

Img b

Img b

Img c

Img c

Img d

Img d

Img e

Img e

Img f

Img f

Img g

Img g

Img h

Img h

The following diagram shows the flow of how an HIU requests to fetch the consent Artefacts:

%%{init:{"fontSize": "1.0rem", "sequence":{"showSequenceNumbers":true}}}%% sequenceDiagram title Fetch Consent Artefact HIU System-->>Repository:Consent-fetch Request activate Repository Repository->>Gateway:POST/consents/fetch Gateway->>Repository:POST/consents/on-fetch deactivate Repository Repository-->>HIU System:Response

Test Cases

S.NoFunctionFunctionalityTest CaseSteps To Be Executed
1Revoke Consent RequestMandatory Revoke Consent HIU_FLOW_202HIUs should not be able to view health records if the consent is revoked.1. Check list of consent requests to view revoked consents. 2. Check if health record is visible in case the consent is revoked.
2Expiry of Consent RequestMandatory Consent Expiry HIU_FLOW_301The HIU should not be able to view the health data of an expired consent request1. Provide consent with a short expiry period. 2. Check status of consent after expiry. 3. Check if health record is visible to HIU after consent expiry

API Information Request Response

1. Patient Consent notification

BASE URLs: https://your-hrp-server.com

2. Consent Notifications For Revoked/Expired

BASE URLs: https://dev.abdm.gov.in/gateway

This API is called by HIU as acknowledgement to consent notifications, specifically for cases when consent is REVOKED or EXPIRED.

3. Fetching the consent artefact

BASE URLs: https://dev.abdm.gov.in/gateway

Note: The “consentId” in the request body is the consent artefact id.

4. Acknowledgement For Fetching the consent artefact

BASE URLs: https://your-hrp-server.com

Result of fetch request for a consent artefact