Consent & sensitive data
Consent is a first-class part of Rail, not an afterthought. Every grant is explicit, scoped, revocable, and auditable — and especially sensitive data is protected by default.
Patient-directed access
Access in Rail is always directed by the patient. When a patient connects a source through Rail Connect, they see what your application is requesting and approve it. Rail records that approval as a consent: which scopes were granted, when, when it expires, and a receipt you and the patient can refer back to.
curl https://rail.to/api/v1/consents?patient=pat_olivia_martin \
-H "Authorization: Bearer sk_sandbox_rail_democare"
Patients can revoke at any time. Revocation propagates: the connection stops returning data and an event is emitted so your application can react.
Sensitive categories are excluded by default
Some health information is specially protected — and that protection cuts across data types. A behavioral-health diagnosis is still a condition; an HIV result is still a lab. So Rail treats sensitivity as a separate dimension, applied on top of products and scopes.
Rail recognizes these categories:
| Category | Covers |
|---|---|
behavioral_health | Mental-health conditions, notes, and medications |
substance_use | Substance-use treatment records (subject to 42 CFR Part 2) |
reproductive_sexual_health | Reproductive and sexual-health information |
hiv | HIV/AIDS-related information |
genetic | Genetic test results and hereditary risk |
violence | Domestic and sexual-violence information |
By default, all of these are excluded — even when the broad product that would otherwise include them is granted. A patient who shares their labs does not, by that act, share their HIV result. Including a sensitive category requires the patient to explicitly opt in for that category during consent.
This means your reads are minimum-necessary out of the box. If your use case needs a sensitive category, request it explicitly and the patient decides.
What this gives your application
- Trust by construction. Patients share precisely what they intend.
- A cleaner compliance story. Purpose of use and consent are explicit and auditable, and the most sensitive data never flows unless deliberately shared.
- No surprises. Excluded data is excluded consistently across every way of reading the record — the simplified view, typed collections, and raw FHIR all honor the same consent.
Next: Reading the record.