Objectives
Allow the Practitioner to view the Encounters for the Patients who have given Consent.
Before you begin
Set up the local Aidbox instance using the getting-started
Consent-based Access Control using FHIR Search and Aidbox Access Policy
Set up the data
Navigate to the AIdbox REST Console.
Create two Practitioners by executing the following requests.
Copy POST /fhir/Practitioner
content-type: application/json
accept: application/json
{
"id": "pr-1",
"name": [
{
"given": [
"TestPractitioner"
]
}
],
"resourceType": "Practitioner"
}
Copy POST /fhir/Practitioner
content-type: application/json
accept: application/json
{
"id": "pr-2",
"name": [
{
"given": [
"TestPractitioner1"
]
}
],
"resourceType": "Practitioner"
} Create the Patient resource.
Copy POST /fhir/Patient
content-type: application/json
accept: application/json
{
"id": "pt-1",
"name": [
{
"given": [
"John"
],
"family": "Smith"
}
],
"resourceType": "Patient"
} Create the Observation and Encounter for the Patient.
Copy POST /fhir/Observation
content-type: application/json
accept: application/json
{
"resourceType": "Observation",
"status": "final",
"subject": {
"reference": "Patient/pt-1"
},
"code": {
"coding": [
{
"code": "test-code"
}
]
}
}
Copy POST /fhir/Encounter
content-type: application/json
accept: application/json
{
"resourceType": "Encounter",
"status": "finished",
"subject": {
"reference": "Patient/pt-1"
},
"class": {
"code": "test-code"
}
} To model the grantee of the consent, we will use the provision.actor element:
Copy {
"role": {
"coding": [
{
"code": "GRANTEE"
}
]
},
"reference": {
"reference": "Practitioner/pr-1"
}
} To model the scope of the consent, we will use scope element.
For example, the consent for accessing the Observations is modeled as follows:
Copy "scope": {
"coding": [
{
"code": "Observation"
}
]
} Create the Consent resource that models the permission for the Practitioner pr-1 to access Observations.
Copy POST /fhir/Consent
content-type: application/json
accept: application/json
{
"category": [
{
"coding": [
{
"code": "test category"
}
]
}
],
"patient": {
"reference": "Patient/pt-1"
},
"policyRule": {
"coding": [
{
"code": "cric"
}
]
},
"provision": {
"actor": [
{
"role": {
"coding": [
{
"code": "GRANTEE"
}
]
},
"reference": {
"reference": "Practitioner/pr-1"
}
}
]
},
"resourceType": "Consent",
"scope": {
"coding": [
{
"code": "Observation"
}
]
},
"status": "active"
} Create the Consent resource that models the permission for the Practitioner pr-2 to access Encounters.
Copy POST /fhir/Consent
content-type: application/json
accept: application/json
{
"category": [
{
"coding": [
{
"code": "test category"
}
]
}
],
"patient": {
"reference": "Patient/pt-1"
},
"policyRule": {
"coding": [
{
"code": "cric"
}
]
},
"provision": {
"actor": [
{
"role": {
"coding": [
{
"code": "GRANTEE"
}
]
},
"reference": {
"reference": "Practitioner/pr-2"
}
}
]
},
"resourceType": "Consent",
"scope": {
"coding": [
{
"code": "Encounter"
}
]
},
"status": "active"
} Construct the FHIR Search
The FHIR Search that, for the given practitioner, will get all the Observations that have consent from the patients is:
Copy GET /fhir/Consent?actor=pr-1&scope=Observation&_include=Consent:patient&_revinclude:iterate=Observation:subject
content-type: application/json
accept: application/json You can also try to search the Observations and Encounters for the practitioner pr-2
Create the AccessPolicy
Assuming that the authentication is configured to have a real end-user session, and we have linked the Aidbox User resource to the Practitioner resource with User.fhirUser element, the following will be the access policy that allows the FHIR Search above:
Copy PUT /fhir/AccessPolicy/practitioner-consent-based-observation
content-type: application/json
accept: application/json
{
"engine": "matcho",
"id": "practitioner-consent-based-observation",
"link": [
{
"reference": "Operation/FhirSearch"
}
],
"matcho": {
"user": "present?",
"params": {
"actor": ".user.fhirUser.id",
"scope": "Observation",
"_include": "Consent:patient",
"_revinclude:iterate": "Observation:subject"
}
},
"resourceType": "AccessPolicy"
} 
