When patients are asked to share their health data, they typically face a binary choice: share everything, or share nothing.

Sign this release form. Authorize this app. Grant access to your records.

All or nothing.

This model made sense when health information moved on paper. You couldn't easily redact sections of a physical medical record. The logistics of partial sharing were impractical.

But we don't live in that world anymore. And patients are increasingly unwilling to accept all-or-nothing as their only option.

Why Patients Hesitate

Studies consistently show that patients want to engage with digital health tools. They want to share data if it improves their care. But they have legitimate concerns about privacy.

Those concerns aren't abstract. They're specific:

Mental health history. A patient managing depression doesn't want that information shared with an app tracking their fitness goals.

Reproductive health. In a post-Dobbs world, patients are acutely aware that reproductive health information can be sensitive.

Substance use. Someone in recovery might share their cardiac history but not their treatment records from years ago.

Family history. Genetic predispositions and family medical history feel deeply personal. Patients want control over who learns about hereditary conditions.

STI testing. Past test results, even negative ones, feel private in ways that blood pressure readings don't.

When patients can't selectively share, many choose not to share at all. The all-or-nothing model doesn't protect privacy - it prevents participation.

What Granular Consent Looks Like

Granular consent means patients control not just whether to share, but what to share.

By data category: Share medications and lab results, but not behavioral health notes.

By time period: Share records from the last year, not your entire history.

By purpose: Authorize access for a specific research study, not ongoing commercial use.

By duration: Grant access for 30 days, not indefinitely.

This isn't hypothetical. The FHIR standard supports scope-based authorization. The technical capability exists. What's been missing is infrastructure that makes it practical.

The Trust Dividend

When patients have granular control, something shifts: they share more, not less.

This seems counterintuitive. Give people the ability to withhold data, and they'll withhold it, right?

The opposite happens. When patients trust that they control their information - that sharing their medication list doesn't mean exposing their entire history - they're more willing to participate.

We've seen this in our own data. Users who understand they can share selectively engage more deeply with applications. They authorize more data categories over time as trust builds.

The all-or-nothing model optimizes for the first interaction. Granular consent optimizes for the relationship.

Implications for Healthcare Builders

If you're building applications that request patient data, consent UX matters more than you think.

Be specific about what you need. Don't request access to everything if you only need medications. Users notice, and they lose trust.

Explain why you need it. "We need your lab results to track your kidney function" is more compelling than "authorize data access."

Offer choices where possible. Even if your application works best with full data access, consider graceful degradation for patients who want to share less.

Honor time limits. If users authorize 30-day access, respect it. Don't make them hunt for a way to revoke.

Make revocation easy. Users should be able to withdraw access as easily as they granted it.

These aren't just ethical principles, they're competitive advantages. Applications that respect patient autonomy build loyalty. Applications that feel invasive get deleted.

The Regulatory Direction

The 21st Century Cures Act established patient rights to access their data. The logical next step is patient rights to control how that data is shared.

We're seeing early signals. GDPR in Europe enshrined data portability and consent rights. State-level privacy laws in California and elsewhere are extending similar principles to health information.

The regulatory trajectory is clear: patients will have more control, not less. Building for that future now is both the right thing to do and smart positioning.

What We're Building

At Consolidate Health, granular consent is built into our infrastructure. When users authorize data sharing through our API, they can control:

• Which categories of clinical data to share

• How long access remains valid

• Which specific applications receive data

We believe this is how patient data access should work. Not because regulators require it (though they increasingly will), but because it's what your users deserve.

The technology for granular consent exists. The question is whether the industry will use it.