How to implement Consent-based Access Control using FHIR Search and Aidbox Access Policy
Objectives
Allow the Practitioner to view the Encounters for the Patients who have given Consent.
Before you begin
Set up the local Aidbox instance using the getting-started guide
Consent-based Access Control using FHIR Search and Aidbox Access Policy
Set up the data
Navigate to the AIdbox REST Console.

Create two Practitioners by executing the following requests.
POST /fhir/Practitioner
content-type: application/json
accept: application/json
{
"id": "pr-1",
"name": [
{
"given": [
"TestPractitioner"
]
}
],
"resourceType": "Practitioner"
}
POST /fhir/Practitioner
content-type: application/json
accept: application/json
{
"id": "pr-2",
"name": [
{
"given": [
"TestPractitioner1"
]
}
],
"resourceType": "Practitioner"
}
Create the Patient resource.
POST /fhir/Patient
content-type: application/json
accept: application/json
{
"id": "pt-1",
"name": [
{
"given": [
"John"
],
"family": "Smith"
}
],
"resourceType": "Patient"
}
Create the Observation and Encounter for the Patient.
POST /fhir/Observation
content-type: application/json
accept: application/json
{
"resourceType": "Observation",
"status": "final",
"subject": {
"reference": "Patient/pt-1"
},
"code": {
"coding": [
{
"code": "test-code"
}
]
}
}
POST /fhir/Encounter
content-type: application/json
accept: application/json
{
"resourceType": "Encounter",
"status": "finished",
"subject": {
"reference": "Patient/pt-1"
},
"class": {
"code": "test-code"
}
}
To model the Patient's consent, we will use the FHIR Consent resource.
To model the grantee of the consent, we will use the provision.actor
element:
{
"role": {
"coding": [
{
"code": "GRANTEE"
}
]
},
"reference": {
"reference": "Practitioner/pr-1"
}
}
To model the scope of the consent, we will use scope
element.
For example, the consent for accessing the Observations is modeled as follows:
"scope": {
"coding": [
{
"code": "Observation"
}
]
}
Create the Consent resource that models the permission for the Practitioner pr-1
to access Observations.
POST /fhir/Consent
content-type: application/json
accept: application/json
{
"category": [
{
"coding": [
{
"code": "test category"
}
]
}
],
"patient": {
"reference": "Patient/pt-1"
},
"policyRule": {
"coding": [
{
"code": "cric"
}
]
},
"provision": {
"actor": [
{
"role": {
"coding": [
{
"code": "GRANTEE"
}
]
},
"reference": {
"reference": "Practitioner/pr-1"
}
}
]
},
"resourceType": "Consent",
"scope": {
"coding": [
{
"code": "Observation"
}
]
},
"status": "active"
}
Create the Consent resource that models the permission for the Practitioner pr-2
to access Encounters.
POST /fhir/Consent
content-type: application/json
accept: application/json
{
"category": [
{
"coding": [
{
"code": "test category"
}
]
}
],
"patient": {
"reference": "Patient/pt-1"
},
"policyRule": {
"coding": [
{
"code": "cric"
}
]
},
"provision": {
"actor": [
{
"role": {
"coding": [
{
"code": "GRANTEE"
}
]
},
"reference": {
"reference": "Practitioner/pr-2"
}
}
]
},
"resourceType": "Consent",
"scope": {
"coding": [
{
"code": "Encounter"
}
]
},
"status": "active"
}
Construct the FHIR Search
The FHIR Search that, for the given practitioner, will get all the Observations that have consent from the patients is:
GET /fhir/Consent?actor=pr-1&scope=Observation&_include=Consent:patient&_revinclude:iterate=Observation:subject
content-type: application/json
accept: application/json
You can also try to search the Observations and Encounters for the practitioner pr-2
You can learn more about FHIR Search here: FHIR Search.
Create the AccessPolicy
Assuming that the authentication is configured to have a real end-user session, and we have linked the Aidbox User resource to the Practitioner resource with User.fhirUser
element, the following will be the access policy that allows the FHIR Search above:
PUT /fhir/AccessPolicy/practitioner-consent-based-observation
content-type: application/json
accept: application/json
{
"engine": "matcho",
"id": "practitioner-consent-based-observation",
"link": [
{
"reference": "Operation/FhirSearch"
}
],
"matcho": {
"user": "present?",
"params": {
"actor": ".user.fhirUser.id",
"scope": "Observation",
"_include": "Consent:patient",
"_revinclude:iterate": "Observation:subject"
}
},
"resourceType": "AccessPolicy"
}
You can learn more about different authentication methods here: Authentication.
Last updated
Was this helpful?