FHIR Chat · Accessing Patient related resources via Practitioner's Role · smart

Stream: smart

Topic: Accessing Patient related resources via Practitioner's Role

view this post on Zulip Volkan Kalın (Jan 19 2022 at 15:53):

Hello everyone,

I am currently implementing an app on top of ibm/fhir. In one of my scenarios there are Practitioner users. And a Practitioner:

  • Can create an Organization and connect its Practitioner resource to this Organization via PractitionerRole.
  • Can also include other Practitioners to the Organization via PractitionerRole.
  • Can create new Patients under the Organization by providing managingOrganization element to it.
  • Has read/write access to the Observation records of a Patient who is under his/her Organization.

So an example scenario is:

There are following resources: 

{
  resourceType: 'Organization',
  id: 'Organization1',
  //...
}
{
  resourceType: 'Practitioner',
  id: 'Practitioner1',
  //...
}
{
  resourceType: 'PractitionerRole',
  active: true,
  practitioner: {
    reference: 'Practitioner/Practitioner1'
  },
  organization: {
    reference: 'Organization/Organization1'
  },
  code: [{
    coding: [{
      system: 'http://terminology.hl7.org/CodeSystem/practitioner-role',
      code: 'doctor'
    }]
  }]
  //...
}
{
  resourceType: 'Patient',
  id: 'Patient1',
  managingOrganization: {
    reference: 'Organization/Organization1'
  },
  //...
}
{
  resourceType: 'Observation',
  id: 'Observation1',
  subject: {
    reference: 'Patient/Patient1'
  },
  //...
}

Now lets say a Practitioner wants to get all Observations belongs to the Patients that are under the Organization of this Practitioner.
In another saying Practitioner reads all Observations by using the chain: Practitioner -> PractitionerRole -> Organization -> Patient -> Observation

  1. To get Organization we use endpoint: /Organization?_has:PractitionerRole:organization:practitioner=Practitioner/{practitioner_id}
  2. So by taking the organization Id from the Organization, I will get all the Patients's ids by using endpoint Patient?organization=Organization/{organization.id}&_elements=id
  3. By using all the Patient Ids, I will get all the Observations belongs to those Patients

So for this scenerio I have encountered 2 limitations so far:

  • Fhir-smart implementation forces to use a claim patient_id in access_token, but instead, what I want is to provide practitioner_id (related line of code)
  • I couldn't find any logic on fhir-smart module's interceptor which considers the relation between a Compartment and resource (additional example to the scenario above can be: Practitioner ↔ Encounter ↔ Patient).

My questions are:

  1. How much of those limitations I encountered are resulted from the specification itself or due to lack of implementation?
  2. Is it possible to configure policy enforcement via fhir resources (e.g. Encounter, Organization and PractitionerRole) while using SMART specifications?
  3. Does this scenerio make sense at all under the specification of SMART on FHIR specification?

view this post on Zulip Lee Surprenant (Jan 21 2022 at 16:38):

Hi Vokan. the spec stops well short of defining a permissions model (which practitioners should have access to which resources). as you pointed out, the IBM FHIR server fhir-smart module uses a patient_id claim on the access token to restrict access to resources related to the patient compartment for one or more patient. This is an internal detail of our implementation...the spec itself does not impose any restrictions on the access token...it is "opaque".

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -