The patient must give her/his consent before any of her/his data is made available to the epSOS network. The health professional’s permission to access the patient’s medical data is verified through the data-controlling country  (with respect to the consent given in that country), the national security policy of the specific country, and, if available,  through a patient privacy policy. It is assumed that this step is piggybacked with each data access operation and solely implemented behind the capsule of the national eHealth infrastructures.

The consent is realized through the IHE Basic Patient Privacy Consents (BPPC) profile.

The file is a Clinical Document Architecture (CDA) Level 1 or Level 3 document as specified in the IHE XDS-SD profile, based on the HL7 CDA Standard. 

The HL7 CDA Standard Version 2.0 is based on XML and describes the following three levels: 

• CDA Level 1: Uniform document title and header
• CDA Level 2: Standardized structure of the document (chapter titles) for e.g. anamneses, diagnoses, medications and so on. 
• CDA Level 3: Completely structured document in which individual data fields can be addressed directly (e.g. presentation of laboratory data, blood pressure, etc.)