We urge HHS not to pursue a one-size-fits-all use case or technical approach to the issue of consent in advance of policy objectives and requirements. It would be neither practical nor privacy-protective to try to solve the problem of attaining consumer consent through technical specifications that may not take into account various contexts for information sharing, or various relationships that consumers have with different entities. Policies for consent, taken as an important element of a complementary framework for protecting privacy and security, should be articulated. Only with a framework of policies in place can the expectations for technical standards be defined and selected.
Markle Foundation recommends a full complement of privacy and information access policies in its response to the Federal health IT office’s draft on consumer consent requirements.