Restricting Access to Patient Data

Create a CompartmentDefinition instance from a standard patient CompartmentDefinition:

PUT /fhir/CompartmentDefinition/Patient
Content-Type: application/json

    "resourceType": "CompartmentDefinition",
    "id": "Patient",
    "url": "",
    "name": "Base FHIR compartment definition for Patient",
    "status": "draft",
    "experimental": true,
    "date": "2018-12-27T22:37:54+11:00",
    "publisher": "FHIR Project Team",
    "contact": [
            "telecom": [
                    "system": "url",
                    "value": ""
    "description": "There is an instance of the patient compartment for each patient resource, and the identity of the compartment is the same as the patient. When a patient is linked to another patient, all the records associated with the linked patient are in the compartment associated with the target of the link.. The set of resources associated with a particular patient",
    "code": "Patient",
    "search": true,
    "resource": [
            "code": "Account",
            "param": [
            "code": "ActivityDefinition"
            "code": "AdverseEvent",
            "param": [
            "code": "AllergyIntolerance",
            "param": [
            "code": "Appointment",
            "param": [
            "code": "AppointmentResponse",
            "param": [
            "code": "AuditEvent",
            "param": [
            "code": "Basic",
            "param": [
            "code": "Binary"
            "code": "BiologicallyDerivedProduct"
            "code": "BodyStructure",
            "param": [
            "code": "Bundle"
            "code": "CapabilityStatement"
            "code": "CarePlan",
            "param": [
            "code": "CareTeam",
            "param": [
            "code": "CatalogEntry"
            "code": "ChargeItem",
            "param": [
            "code": "ChargeItemDefinition"
            "code": "Claim",
            "param": [
            "code": "ClaimResponse",
            "param": [
            "code": "ClinicalImpression",
            "param": [
            "code": "CodeSystem"
            "code": "Communication",
            "param": [
            "code": "CommunicationRequest",
            "param": [
            "code": "CompartmentDefinition"
            "code": "Composition",
            "param": [
            "code": "ConceptMap"
            "code": "Condition",
            "param": [
            "code": "Consent",
            "param": [
            "code": "Contract"
            "code": "Coverage",
            "param": [
            "code": "CoverageEligibilityRequest",
            "param": [
            "code": "CoverageEligibilityResponse",
            "param": [
            "code": "DetectedIssue",
            "param": [
            "code": "Device"
            "code": "DeviceDefinition"
            "code": "DeviceMetric"
            "code": "DeviceRequest",
            "param": [
            "code": "DeviceUseStatement",
            "param": [
            "code": "DiagnosticReport",
            "param": [
            "code": "DocumentManifest",
            "param": [
            "code": "DocumentReference",
            "param": [
            "code": "EffectEvidenceSynthesis"
            "code": "Encounter",
            "param": [
            "code": "Endpoint"
            "code": "EnrollmentRequest",
            "param": [
            "code": "EnrollmentResponse"
            "code": "EpisodeOfCare",
            "param": [
            "code": "EventDefinition"
            "code": "Evidence"
            "code": "EvidenceVariable"
            "code": "ExampleScenario"
            "code": "ExplanationOfBenefit",
            "param": [
            "code": "FamilyMemberHistory",
            "param": [
            "code": "Flag",
            "param": [
            "code": "Goal",
            "param": [
            "code": "GraphDefinition"
            "code": "Group",
            "param": [
            "code": "GuidanceResponse"
            "code": "HealthcareService"
            "code": "ImagingStudy",
            "param": [
            "code": "Immunization",
            "param": [
            "code": "ImmunizationEvaluation",
            "param": [
            "code": "ImmunizationRecommendation",
            "param": [
            "code": "ImplementationGuide"
            "code": "InsurancePlan"
            "code": "Invoice",
            "param": [
            "code": "Library"
            "code": "Linkage"
            "code": "List",
            "param": [
            "code": "Location"
            "code": "Measure"
            "code": "MeasureReport",
            "param": [
            "code": "Media",
            "param": [
            "code": "Medication"
            "code": "MedicationAdministration",
            "param": [
            "code": "MedicationDispense",
            "param": [
            "code": "MedicationKnowledge"
            "code": "MedicationRequest",
            "param": [
            "code": "MedicationStatement",
            "param": [
            "code": "MedicinalProduct"
            "code": "MedicinalProductAuthorization"
            "code": "MedicinalProductContraindication"
            "code": "MedicinalProductIndication"
            "code": "MedicinalProductIngredient"
            "code": "MedicinalProductInteraction"
            "code": "MedicinalProductManufactured"
            "code": "MedicinalProductPackaged"
            "code": "MedicinalProductPharmaceutical"
            "code": "MedicinalProductUndesirableEffect"
            "code": "MessageDefinition"
            "code": "MessageHeader"
            "code": "MolecularSequence",
            "param": [
            "code": "NamingSystem"
            "code": "NutritionOrder",
            "param": [
            "code": "Observation",
            "param": [
            "code": "ObservationDefinition"
            "code": "OperationDefinition"
            "code": "OperationOutcome"
            "code": "Organization"
            "code": "OrganizationAffiliation"
            "code": "Patient",
            "param": [
            "code": "PaymentNotice"
            "code": "PaymentReconciliation"
            "code": "Person",
            "param": [
            "code": "PlanDefinition"
            "code": "Practitioner"
            "code": "PractitionerRole"
            "code": "Procedure",
            "param": [
            "code": "Provenance",
            "param": [
            "code": "Questionnaire"
            "code": "QuestionnaireResponse",
            "param": [
            "code": "RelatedPerson",
            "param": [
            "code": "RequestGroup",
            "param": [
            "code": "ResearchDefinition"
            "code": "ResearchElementDefinition"
            "code": "ResearchStudy"
            "code": "ResearchSubject",
            "param": [
            "code": "RiskAssessment",
            "param": [
            "code": "RiskEvidenceSynthesis"
            "code": "Schedule",
            "param": [
            "code": "SearchParameter"
            "code": "ServiceRequest",
            "param": [
            "code": "Slot"
            "code": "Specimen",
            "param": [
            "code": "SpecimenDefinition"
            "code": "StructureDefinition"
            "code": "StructureMap"
            "code": "Subscription"
            "code": "Substance"
            "code": "SubstanceNucleicAcid"
            "code": "SubstancePolymer"
            "code": "SubstanceProtein"
            "code": "SubstanceReferenceInformation"
            "code": "SubstanceSourceMaterial"
            "code": "SubstanceSpecification"
            "code": "SupplyDelivery",
            "param": [
            "code": "SupplyRequest",
            "param": [
            "code": "Task"
            "code": "TerminologyCapabilities"
            "code": "TestReport"
            "code": "TestScript"
            "code": "ValueSet"
            "code": "VerificationResult"
            "code": "VisionPrescription",
            "param": [

Create AccessPolicy resource which will allow all GET requests for /fhir/Patient/*

PUT /AccessPolicy/allow-to-get-patient-compartment
Content-Type: application/json

    "resourceType": "AccessPolicy",
    "id": "allow-to-get-patient-compartment",
    "engine": "json-schema",
    "schema": {
        "type": "object",
        "properties": {
            "uri": {
              "type": "string",
              "pattern": "^/fhir/Patient/"
            "params": {
                "type": "object",
                "required": ["resource/id"],
                "properties": {
                    "resource/id": {"constant": {"$data": "#/jwt/pid"}}

Put your patient ID value into the pid claim of your JWT. Congratulations, that's all.

Last updated

Was this helpful?