Stream: smart
Topic: Switching patient context for provider launch
Sagar Shah (Mar 12 2021 at 14:35):
Hello everyone,
During post login with launch/patient, when a patient has been chosen from patient picker and tokens have been issued, if user wants to switch the patient, what are the recommended options?
Can we display patient picker somehow on client app without performing oauth login again? How and when app can request that?
Is it something that app would generally use to trigger that oauth login flow to display patient picker?
Any suggestions?
Michele Mottini (Mar 12 2021 at 14:54):
App has to initiate a new authorization sequence. The token it has allow access only to the selected patient, so all the other patients are not accessible that prevent any patient-picker to be in the app itself
Sagar Shah (Mar 12 2021 at 15:04):
Thanks @Michele Mottini . That was my thought too. Now, if the app also has user/Patient.read access and has a capability select patient from FHIR search API, can it have access to FHIR record of that patient without requesting for oauth login and access token (with patient field into it) flow?
Michele Mottini (Mar 12 2021 at 15:11):
Yes, app could use user scopes, and then typically not use launch/patient and do everything app-side: get all the accessible patient with a GET [base]/Patient query and do patient selection or get data for all of them
The server must support user scopes and patient searches without any parameters
It is a workflow that is not widely supported nor used (eg CARIN mandates only the patient one for example)
Sagar Shah (Mar 12 2021 at 15:28):
Thank you @Michele Mottini for clarifying! I think from Cures 21 Century Act, we may need to support both patient and user scopes on FHIR servers
Gary Sole (Apr 16 2021 at 16:45):
So, if I am an authorized representative, and I go through the launch scope, authenticate myself and select a patient. I can now see the content for that patient. Now, I want to select another patient - I need to go through the launch scope again, authenticate myself, provide consent again and select a different patient. Then if I want to go back to the previous patient, or go to a third patient, do I have to launch again, authenticate again, consent again and select different patient. Just trying to understand how SMART supports the authorized representative scenario. Thanks
Gary Sole (Apr 16 2021 at 16:47):
Would a GET [base]/Patient not just get the resource for the requested or token based patient. To get multiple patients, you need multiple tokens since each token only has reference to one patient.
Josh Mandel (Apr 16 2021 at 16:55):
An app can opt into either behavior:
- Request
patient/scopes and re-launch for each patient - Request
user/scopes and launch just once
Gary Sole (Apr 16 2021 at 20:55):
If the app user is an authorized rep user/ scopes - launched once - how is the patient selected. Does the RelatedPerson resource need to contain a list of all available patients for the user?
Gary Sole (Apr 16 2021 at 20:59):
Suggestion for SMART v2 - allow launch context for authorized rep with response that includes multiple patient identifiers - app make API calls for all supplied patients with the same scope granted by the patients during the authorized representative process created by the EHR
Michele Mottini (Apr 16 2021 at 21:01):
In the user scope, launch just once case the app does a 'give me all patients' search (GET [base]/Patient) that returns all patient that the user can access
Gary Sole (Apr 19 2021 at 14:07):
Thanks - does the app need to know the user is an authorized rep rather than a patient?
Josh Mandel (Apr 19 2021 at 14:20):
In the general case, the app might not even need to know who the user is. But if the app does need to know who the user is, the openid fhirUser Scopes can request this information. It should be clear whether the user is the patient or not by comparing the patient ID received versus the fhir user received.
Last updated: Apr 12 2022 at 19:14 UTC
