FHIR Chat · How to solve Family member use case · implementers

Stream: implementers

Topic: How to solve Family member use case

view this post on Zulip Prashanth Ambalavanan (Mar 07 2021 at 23:58):

Hello All - I am working to solve the consent model for dependents use case. We have Primary Insurance holder and also many family member/ dependents under Primary holder. Primary member wants to see all of their family member data in the smart app. We are planning to build a consent management app which list the primary holder and also all of the dependent information. The primary holder can provide different consent for himself and can chose different set of consent for the dependents. I am having challenges in solving the OAuth authorization in this case.
Since there can be only one patient ID sent along side the access_token, how do we address this use case?

1) Does the smart app needs to initialize the authentication process everytime when they switch the patient and obtain tokens specific to the patient of interest (i.e at a given point of time the consent can be provided to only on person and not multiple users)
OR
2) Do we design the FIHR API to allow dependent information by using the access_token of the primary holder. (in this case the association and validation of primary-to-dependent is managed by the resource server/API itself)

Appreciate your support. Thanks.

Regards,
Prashanth.

view this post on Zulip Lloyd McKenzie (Mar 08 2021 at 00:14):

You might want to raise this on the #smart stream

view this post on Zulip Josh Mandel (Mar 08 2021 at 00:52):

You can get this behavior with user/ scopes. When an app asks for something like user/Patient.read, the authorization server can prompt the user to approve specific records (or all people in the family).

view this post on Zulip Prashanth Ambalavanan (Mar 08 2021 at 03:23):

Thanks @Josh Mandel. If I want to provide different consent for each family , will the smart app have multiple access_tokens for each member in the family with corresponding scopes approved?. I am unsure if the smart app can support storing multiple access_tokens if we use oauth sdks.

also how does the smart client app know for which family member the access_token with user/. scope is tied to?. I would assume it would use the patientId claim?

view this post on Zulip Michele Mottini (Mar 08 2021 at 14:00):

When using user/ scopes the app will query 'all patients' (ie GET [base]/Patient) to get the list of all patients that are accessible - it is up to the server to respond correctly and implement any restrictions as selected by the user during authorization (such information can be stored or associated with the issued access token)

view this post on Zulip Michele Mottini (Mar 08 2021 at 14:01):

CAVEAT: most applications do not support that behavior, they use launch/patient and patient/ access scopes and handle one patient at a time

view this post on Zulip Michele Mottini (Mar 08 2021 at 14:02):

(to be clear: in both cases there will be only a single access token)

view this post on Zulip Prashanth Ambalavanan (Mar 08 2021 at 21:39):

Thanks @Michele Mottini

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -