FHIR Chat · Service Request for authorization · implementers

Stream: implementers

Topic: Service Request for authorization

view this post on Zulip Michael Lippens (Feb 18 2022 at 08:54):

Im just wondering if my implementation makes any sense:

We would use a ServiceRequest to represent an order in a hospital. The created ServiceRequest will then provide access to that patient in our service for the given practitioner if the occurrence field is filled in. It's my first actual implementation of a FHIR service and I was wondering if that makes sense.

Secondly, we would like to also provide authorization in cases where there is not an explicit order in the hospital. In the case where a physician would like to access a file within our system, we would also use a ServiceRequest to express that. Using the identifiers, the integrator could distinguish between actual appointments and just requests to view the file.

Let me know if anything is weird/ doesn't make sense. All feedback is appreciated

view this post on Zulip René Spronk (Feb 18 2022 at 09:26):

? occurence is related to the request, so why would that be relevant in deciding to allow the sender of a request 'access to a patient'

view this post on Zulip René Spronk (Feb 18 2022 at 09:27):

As for the second aspect: if a request is missing, one could simply create [reverse engineer] it (a kind of filler order), allowing one to use the same mechanism as scenario 1 for authorization

view this post on Zulip Michael Lippens (Feb 18 2022 at 10:01):

@René Spronk , it is because our integrator wants to control authorization. And the existence of a ServiceRequest that is valid and given that we are currently within the occurrence's range could be a way for us to decide whether or not access is allowed within our own system.

view this post on Zulip Michael Lippens (Feb 18 2022 at 10:05):

The idea to use ServiceRequest is to provide a worklist feature, so that we know what patient is relevant to a physician at what time. That it also manages access is actually a side-effect more or less.

view this post on Zulip René Spronk (Feb 18 2022 at 10:15):

I'd say that only (a ServiceRequest is accepted by a receiving/executing party) could act as the basis for authorization. Have you looked at Task ? That's the direct equivalent of a worklist item..
If you only look at ServiceRequest, I could send a bogus request to you, allowing me to view the patient data. That's a potential security issue (depending on the amount of data I'd be allowed to see - presumably this is limited to the results of whatever it is the request asks for).

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -