0

Is it possible to do authorization / access control in FHIR store? Let me show one example:

The insurance company receive clinical information from 3 different partners, but the company need to create a different role for each one.

  1. So, the first partner can GET any patients and POST only encounter resource.
  2. Second partner can GET several patients and POST encounters and conditions resources.
  3. Third partner can GET some patients and PUT some elements in conditions resource
Rodrigo Ruas
  • 15
  • 3

1 Answers1

1

Each partner would be responsible for authenticating the insurance company. This might be through mutual TLS certificate verification, OAuth or some other means. Once the insurance company has authenticated, the clinical system would determine what 'authorization' the company had. Every data source has full control over determining what a given requester has authorization to receive. Ideally, the server will expose a distinct CapabilityStatement to the requester after they've authenticated that reflects what they are allowed to do. Any requests that are not permitted will result in an appropriate error or will result in the data returned being appropriately filtered. The determination of what sort of filtering happens is managed by internal business rules and is not defined by FHIR, though in some cases, FHIR resources such as Contract or Consent may include terms that will influence the filtering.

Lloyd McKenzie
  • 6,345
  • 1
  • 13
  • 10
  • Thanks @LloydMcKenzie for answer! So, I understood your post, but It isn't clear with how I can do it in my environment. Can you share any example for me? – Rodrigo Ruas Jun 10 '20 at 17:03
  • 1
    You can take a look at some of the reference implementation FHIR servers, but in the end it's a question of writing code. Exactly what you do will depend on how you authenticate the client. At some layer between receiving a request and returning results you'll have to write custom code that evaluates what that client is allowed to do and filters your response accordingly. – Lloyd McKenzie Jun 10 '20 at 21:56