For payer-to-payer interoperability, there's a perceived need to have a patient's consent in order for some payers to allow data to flow from one payer to another, whether that's in a "transition of coverage" scenario, a "parallel coverage" scenario or even theoretically an "eligibility determination" scenario.  This desire for patient consent could occur at the time a linkage between member records is established through $member-match, but it could also occur later, as in some cases a member linkage might exist long before the a particular exchange request and there would be a need for 'current' consent, rather than relying on the consent that established the original linkage (and could since have expired).

Proposal:

Define a standard HTTP header extension that can contain a light-weight Consent resource that conveys the attestation of consent as well as a reference that can be followed up for audit purposes and formal proof if needed.  The consent would convey the following:

• Patient (identified using the clients member id)
• Payer they consented to receive data (identified using ???)
• Payer they consented to release data from (optional - if not specified, then the consent is open-ended and authorizes all prior or concurrent payers)
• A reference to one of two URLs that describe a Da Vinci-wide 'policy for exchange' that consents to either 'all data' or 'non-sensitive data'
• The period of time over which the consent is valid
• A reference that can be used during an audit process that points to the formal consent record (either a URL or identifier).  E.g. to a PDF of a scanned document with wet-ink signature, a pointer to the audit log entry of an electronic consent etc.