Skip to content

open-consent-web/openconsent

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
sdk
sdk
 
 
server
server
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package.json
package.json
 
 

Repository files navigation

OpenConsent Protocol

A cryptographic trust layer for FHIR-based health data consent.

CI License: MIT FHIR R4 W3C DID

The problem

When a patient revokes consent in a current EHR system, a database flag changes. Whether that change propagates depends entirely on the implementing vendor. The patient has no cryptographic proof of what was shared, when, or with whom.

IHE's Privacy Consent on FHIR (PCF) defines a consent authorization architecture. It deliberately leaves the trust model to implementers. In practice, that means the EHR vendor is the root of trust — enforced by policy, not by math.

This protocol closes that gap.

What it does

Patient-controlled DID identity. Each patient holds a W3C Decentralized Identifier derived from an Ed25519 keypair. The private key stays on the patient's device.

Signed FHIR R4 Consent resources. Every consent grant is a valid FHIR R4 Consent resource carrying the patient's Ed25519 signature. Any post-hoc modification invalidates the signature. Revocation is itself a signed artifact.

Hash-chained audit log. All consent lifecycle events write to an append-only SHA-256 hash-chained log. Any modification to any entry — including deletion or reordering — breaks the chain. Maps to IHE BALP-compatible FHIR AuditEvent resources, satisfying 45 CFR §164.312(b).

Consent API server. A FastAPI middleware layer that sits between any EHR and any downstream application. Developers call this API to issue, verify, and revoke consent — the cryptographic enforcement happens server-side.

Repository structure

openconsent/
├── sdk/          TypeScript SDK — DID identity, signed FHIR Consent, audit log
└── server/       Python consent API server — FastAPI middleware

Quick start

SDK (TypeScript)

cd sdk && npm install
import { generatePatientIdentity, issueConsent, verifyConsent, AuditLogger } from "@openconsent/sdk";

const patient = await generatePatientIdentity();
// patient.did → "did:health:86tgCygCYCJn2chupLs..."

const grant = await issueConsent(patient, {
  providerDID: "did:health:HolyNameMedicalCenter",
  providerName: "Holy Name Medical Center",
  scopes: ["lab_results", "imaging_reports"],
  durationDays: 90,
});
// grant.fhirConsent → valid FHIR R4 Consent resource

const check = await verifyConsent(grant, patient.publicKey);
// → { valid: true }

API Server (Python)

cd server
pip install -r requirements.txt
uvicorn main:app --reload

API docs available at http://localhost:8000/docs

Register a patient identity:

POST /identity/register
{ "consent_id": "...", "did": "did:health:...", "public_key_hex": "...", "did_document": {...} }

Issue a signed consent grant:

POST /consent/issue
{ "consent_id": "...", "patient_did": "...", "provider_did": "...", "scopes": ["lab_results"], ... }

Verify consent before accessing data:

POST /consent/verify
{ "consent_id": "...", "provider_did": "...", "requested_scope": "lab_results" }
→ { "valid": true, "access_token": "...", "token_expires_at": "..." }

Revoke consent:

POST /consent/revoke
{ "consent_id": "...", "patient_did": "...", "revocation_signature": "..." }

Retrieve and verify audit log:

GET  /audit/{patient_did}
POST /audit/verify/{patient_did}
→ { "valid": true, "entry_count": 7, "head_hash": "..." }

Test results

SDK stress test:         21/21 passed
API integration test:    13/13 passed

Security properties verified:
  ✓ Tampered consent payload rejected
  ✓ Invalid signature rejected (422)
  ✓ Wrong provider DID rejected
  ✓ Out-of-scope access denied
  ✓ Post-revocation access denied
  ✓ Audit chain tamper detection
  ✓ Concurrent independent grants

Cryptographic primitives: Ed25519 · SHA-256 · W3C DID

Relationship to existing standards

This protocol does not replace FHIR, SMART on FHIR, or IHE PCF. It supplies the cryptographic trust layer they leave unspecified.

Standard Provides Leaves open
FHIR R4 Consent Resource structure and semantics Trust model
IHE PCF Consent authorization architecture Cryptographic enforcement
SMART on FHIR OAuth-based access delegation Patient-key-anchored signing
OpenConsent Cryptographic trust model Compatible with all above

Roadmap

v0.1.0 (current) — SDK + API server, DID identity, signed FHIR R4 Consent, cryptographic revocation, hash-chained audit log

v0.2.0 — ZK-SNARK selective disclosure, break-glass emergency access, multi-sig key recovery

v0.3.0 — HL7 Implementation Guide draft, ONC certification pathway documentation

Academic context

This repository is the reference implementation for a protocol specification paper in preparation. Target venues: JAMIA, npj Digital Medicine, NEJM Catalyst.

Working title: OpenConsent: A Patient-Anchored Cryptographic Trust Protocol for FHIR Consent Enforcement

If you work in FHIR security, SSI/DID health identity, or patient-controlled health records and want to collaborate on the specification or manuscript, open an issue.

Contributing

MIT licensed and intentionally open. The goal is HL7 Implementation Guide adoption, not a proprietary standard.

License

MIT — see LICENSE

OpenConsent Protocol v0.1.0 · W3C DID Core · FHIR R4 · Ed25519 · SHA-256 · IHE BALP

About

No description or website provided.

Topics

cryptography healthcare fhir ed25519 hl7 hipaa consent health-data did patient-privacy

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages