How to implement Consent-based Access Control using FHIR Search and Aidbox Access Policy

Objectives

Allow the Practitioner to view the Encounters for the Patients who have given Consent.

Before you begin

Set up the local Aidbox instance using the getting-started

Set up the data

Navigate to the AIdbox REST Console.

Create two Practitioners by executing the following requests.

POST /fhir/Practitioner
content-type: application/json
accept: application/json

{
  "id": "pr-1",
  "name": [
    {
      "given": [
        "TestPractitioner"
      ]
    }
  ],
  "resourceType": "Practitioner"
}

POST /fhir/Practitioner
content-type: application/json
accept: application/json

{
  "id": "pr-2",
  "name": [
    {
      "given": [
        "TestPractitioner1"
      ]
    }
  ],
  "resourceType": "Practitioner"
}

Create the Patient resource.

POST /fhir/Patient
content-type: application/json
accept: application/json

{
  "id": "pt-1",
  "name": [
    {
      "given": [
        "John"
      ],
      "family": "Smith"
    }
  ],
  "resourceType": "Patient"
}

Create the Observation and Encounter for the Patient.

POST /fhir/Observation
content-type: application/json
accept: application/json

{
  "resourceType": "Observation",
  "status": "final",
  "subject": {
    "reference": "Patient/pt-1"
  },
  "code": {
    "coding": [
      {
        "code": "test-code"
      }
    ]
  }
}

POST /fhir/Encounter
content-type: application/json
accept: application/json

{
  "resourceType": "Encounter",
  "status": "finished",
  "subject": {
    "reference": "Patient/pt-1"
  },
  "class": {
    "code": "test-code"
  }
}

To model the grantee of the consent, we will use the provision.actor element:

{
        "role": {
          "coding": [
            {
              "code": "GRANTEE"
            }
          ]
        },
        "reference": {
          "reference": "Practitioner/pr-1"
        }
      }

To model the scope of the consent, we will use scope element.

For example, the consent for accessing the Observations is modeled as follows:

"scope": {
    "coding": [
      {
        "code": "Observation"
      }
    ]
  }

Create the Consent resource that models the permission for the Practitioner pr-1 to access Observations.

POST /fhir/Consent
content-type: application/json
accept: application/json

{
  "category": [
    {
      "coding": [
        {
          "code": "test category"
        }
      ]
    }
  ],
  "patient": {
    "reference": "Patient/pt-1"
  },
  "policyRule": {
    "coding": [
      {
        "code": "cric"
      }
    ]
  },
  "provision": {
    "actor": [
      {
        "role": {
          "coding": [
            {
              "code": "GRANTEE"
            }
          ]
        },
        "reference": {
          "reference": "Practitioner/pr-1"
        }
      }
    ]
  },
  "resourceType": "Consent",
  "scope": {
    "coding": [
      {
        "code": "Observation"
      }
    ]
  },
  "status": "active"
}

Create the Consent resource that models the permission for the Practitioner pr-2 to access Encounters.

POST /fhir/Consent
content-type: application/json
accept: application/json

{
  "category": [
    {
      "coding": [
        {
          "code": "test category"
        }
      ]
    }
  ],
  "patient": {
    "reference": "Patient/pt-1"
  },
  "policyRule": {
    "coding": [
      {
        "code": "cric"
      }
    ]
  },
  "provision": {
    "actor": [
      {
        "role": {
          "coding": [
            {
              "code": "GRANTEE"
            }
          ]
        },
        "reference": {
          "reference": "Practitioner/pr-2"
        }
      }
    ]
  },
  "resourceType": "Consent",
  "scope": {
    "coding": [
      {
        "code": "Encounter"
      }
    ]
  },
  "status": "active"
}

Construct the FHIR Search

The FHIR Search that, for the given practitioner, will get all the Observations that have consent from the patients is:

GET /fhir/Consent?actor=pr-1&scope=Observation&_include=Consent:patient&_revinclude:iterate=Observation:subject
content-type: application/json
accept: application/json

You can also try to search the Observations and Encounters for the practitioner pr-2

Create the AccessPolicy

Assuming that the authentication is configured to have a real end-user session, and we have linked the Aidbox User resource to the Practitioner resource with User.fhirUser element, the following will be the access policy that allows the FHIR Search above:

PUT /fhir/AccessPolicy/practitioner-consent-based-observation
content-type: application/json
accept: application/json

{
  "engine": "matcho",
  "id": "practitioner-consent-based-observation",
  "link": [
    {
      "reference": "Operation/FhirSearch"
    }
  ],
  "matcho": {
    "user": "present?",
    "params": {
      "actor": ".user.fhirUser.id",
      "scope": "Observation",
      "_include": "Consent:patient",
      "_revinclude:iterate": "Observation:subject"
    }
  },
  "resourceType": "AccessPolicy"
}

PreviousHow to configure Keycloak for access for AidboxUI NextDebug Access Control

Last updated 21 days ago

Was this helpful?