With a Consent exception (Consent.except) it is possible that the exception is not chaning Permit vs Deny; but is specifying for this exception there is an additional Obligation.

I authorize Dr Bob access, but require that all accesses Dr Bob executes are as Read-Only (not allowing persisting of the data).

Obligations are not common, so an extenstion upon exceptions should be sufficient.

Obligations may or miight not be related to the except.type; so there should be no linkage. Although it is unclear to me how an Obligation would be applied to a Deny exception, so it is possible that Obligations are only allowed wth Permit type exceptions.

Obligations (handling caveots) are part of the HCS, they have a specific meaning different from the tags one uses to identify various sensitive objects. Obligations are access control enforcement actions. (distinct from ConsentActionCodes - actions controlled by the consent or exception). As such they should be separated from AllSecurityLabels for the purpose of the Consent element use.

Unfortunately PurposeOfUse is sometimes a tag on data, sometimes an indication of action being taken, and sometimes a constraint upon use of data (Obligation).

Action: Add an extension on Consent.except to include obligations, pulled from http://www.hl7.org/FHIR/2016Sep/v3/SecurityControlObservationValue/vs.html

Obligation codes - http://www.hl7.org/FHIR/2016Sep/v3/SecurityControlObservationValue/vs.html