Restricting Access to Patient Data
Create a CompartmentDefinition instance from a standard patient CompartmentDefinition:
PUT /fhir/CompartmentDefinition/Patient
Content-Type: application/json
"resourceType": "CompartmentDefinition",
"id": "Patient",
"url": "",
"name": "Base FHIR compartment definition for Patient",
"status": "draft",
"experimental": true,
"date": "2018-12-27T22:37:54+11:00",
"publisher": "FHIR Project Team",
"contact": [
"telecom": [
"system": "url",
"value": ""
"description": "There is an instance of the patient compartment for each patient resource, and the identity of the compartment is the same as the patient. When a patient is linked to another patient, all the records associated with the linked patient are in the compartment associated with the target of the link.. The set of resources associated with a particular patient",
"code": "Patient",
"search": true,
"resource": [
"code": "Account",
"param": [
"code": "ActivityDefinition"
"code": "AdverseEvent",
"param": [
"code": "AllergyIntolerance",
"param": [
"code": "Appointment",
"param": [
"code": "AppointmentResponse",
"param": [
"code": "AuditEvent",
"param": [
"code": "Basic",
"param": [
"code": "Binary"
"code": "BiologicallyDerivedProduct"
"code": "BodyStructure",
"param": [
"code": "Bundle"
"code": "CapabilityStatement"
"code": "CarePlan",
"param": [
"code": "CareTeam",
"param": [
"code": "CatalogEntry"
"code": "ChargeItem",
"param": [
"code": "ChargeItemDefinition"
"code": "Claim",
"param": [
"code": "ClaimResponse",
"param": [
"code": "ClinicalImpression",
"param": [
"code": "CodeSystem"
"code": "Communication",
"param": [
"code": "CommunicationRequest",
"param": [
"code": "CompartmentDefinition"
"code": "Composition",
"param": [
"code": "ConceptMap"
"code": "Condition",
"param": [
"code": "Consent",
"param": [
"code": "Contract"
"code": "Coverage",
"param": [
"code": "CoverageEligibilityRequest",
"param": [
"code": "CoverageEligibilityResponse",
"param": [
"code": "DetectedIssue",
"param": [
"code": "Device"
"code": "DeviceDefinition"
"code": "DeviceMetric"
"code": "DeviceRequest",
"param": [
"code": "DeviceUseStatement",
"param": [
"code": "DiagnosticReport",
"param": [
"code": "DocumentManifest",
"param": [
"code": "DocumentReference",
"param": [
"code": "EffectEvidenceSynthesis"
"code": "Encounter",
"param": [
"code": "Endpoint"
"code": "EnrollmentRequest",
"param": [
"code": "EnrollmentResponse"
"code": "EpisodeOfCare",
"param": [
"code": "EventDefinition"
"code": "Evidence"
"code": "EvidenceVariable"
"code": "ExampleScenario"
"code": "ExplanationOfBenefit",
"param": [
"code": "FamilyMemberHistory",
"param": [
"code": "Flag",
"param": [
"code": "Goal",
"param": [
"code": "GraphDefinition"
"code": "Group",
"param": [
"code": "GuidanceResponse"
"code": "HealthcareService"
"code": "ImagingStudy",
"param": [
"code": "Immunization",
"param": [
"code": "ImmunizationEvaluation",
"param": [
"code": "ImmunizationRecommendation",
"param": [
"code": "ImplementationGuide"
"code": "InsurancePlan"
"code": "Invoice",
"param": [
"code": "Library"
"code": "Linkage"
"code": "List",
"param": [
"code": "Location"
"code": "Measure"
"code": "MeasureReport",
"param": [
"code": "Media",
"param": [
"code": "Medication"
"code": "MedicationAdministration",
"param": [
"code": "MedicationDispense",
"param": [
"code": "MedicationKnowledge"
"code": "MedicationRequest",
"param": [
"code": "MedicationStatement",
"param": [
"code": "MedicinalProduct"
"code": "MedicinalProductAuthorization"
"code": "MedicinalProductContraindication"
"code": "MedicinalProductIndication"
"code": "MedicinalProductIngredient"
"code": "MedicinalProductInteraction"
"code": "MedicinalProductManufactured"
"code": "MedicinalProductPackaged"
"code": "MedicinalProductPharmaceutical"
"code": "MedicinalProductUndesirableEffect"
"code": "MessageDefinition"
"code": "MessageHeader"
"code": "MolecularSequence",
"param": [
"code": "NamingSystem"
"code": "NutritionOrder",
"param": [
"code": "Observation",
"param": [
"code": "ObservationDefinition"
"code": "OperationDefinition"
"code": "OperationOutcome"
"code": "Organization"
"code": "OrganizationAffiliation"
"code": "Patient",
"param": [
"code": "PaymentNotice"
"code": "PaymentReconciliation"
"code": "Person",
"param": [
"code": "PlanDefinition"
"code": "Practitioner"
"code": "PractitionerRole"
"code": "Procedure",
"param": [
"code": "Provenance",
"param": [
"code": "Questionnaire"
"code": "QuestionnaireResponse",
"param": [
"code": "RelatedPerson",
"param": [
"code": "RequestGroup",
"param": [
"code": "ResearchDefinition"
"code": "ResearchElementDefinition"
"code": "ResearchStudy"
"code": "ResearchSubject",
"param": [
"code": "RiskAssessment",
"param": [
"code": "RiskEvidenceSynthesis"
"code": "Schedule",
"param": [
"code": "SearchParameter"
"code": "ServiceRequest",
"param": [
"code": "Slot"
"code": "Specimen",
"param": [
"code": "SpecimenDefinition"
"code": "StructureDefinition"
"code": "StructureMap"
"code": "Subscription"
"code": "Substance"
"code": "SubstanceNucleicAcid"
"code": "SubstancePolymer"
"code": "SubstanceProtein"
"code": "SubstanceReferenceInformation"
"code": "SubstanceSourceMaterial"
"code": "SubstanceSpecification"
"code": "SupplyDelivery",
"param": [
"code": "SupplyRequest",
"param": [
"code": "Task"
"code": "TerminologyCapabilities"
"code": "TestReport"
"code": "TestScript"
"code": "ValueSet"
"code": "VerificationResult"
"code": "VisionPrescription",
"param": [
Create AccessPolicy resource which will allow all GET requests for /fhir/Patient/*
PUT /AccessPolicy/allow-to-get-patient-compartment
Content-Type: application/json
"resourceType": "AccessPolicy",
"id": "allow-to-get-patient-compartment",
"engine": "json-schema",
"schema": {
"type": "object",
"properties": {
"uri": {
"type": "string",
"pattern": "^/fhir/Patient/"
"params": {
"type": "object",
"required": ["resource/id"],
"properties": {
"resource/id": {"constant": {"$data": "#/jwt/pid"}}
Put your patient ID value into the pid
claim of your JWT. Congratulations, that's all.
