patient-compartment

patient_compartment Validator Documentation
FHIR Compartment-Based Access Control for Patient Resources

Intent

The patient_compartment validator restricts access to resources explicitly linked to the authenticated patient’s FHIR compartment. This ensures patients can only interact with their own medical data through client applications (e.g., mobile apps, patient portals).

Key Use Cases:

Patients viewing his observations (Observations).
Patients updating their allergy list (AllergyIntolerance).
Patients creating self-reported observations (Observation).

Key Features

Role Enforcement:
- Validates that the client has the Patient role. Requests from non-patient roles (e.g., Practitioner) are denied.
Compartment Membership Check:
- Confirms the requested resource type belongs to the FHIR Patient compartment (e.g., Observation, Condition, MedicationRequest).
Reference Validation:
- For create/update operations, ensures the resource references the patient’s ID (e.g., Observation.subject = Patient/<id>).

Validation Logic

Step	Action	Error If Failed
1	Check `client_role` is `Patient`.	`403 Forbidden` (Invalid role)
2	Verify resource type is in the Patient compartment.	`403 Forbidden` (Invalid compartment)
3	For write operations, validate patient ID in relevant fields (e.g., `subject`, `patient`).	`403 Forbidden` (Reference mismatch)

Example Configurations

1. Read Access to Lab Reports

{
  "client_role": "Patient",
  "entity_name": "DiagnosticReport",
  "operation": "read",
  "validator": "PatientCompartment"
}

Explanation: A patient can read Observations resources only if Observations.subject.reference matches Patient/<their_id>.

2. Create a Blood Pressure Observation

{
  "client_role": "Patient",
  "entity_name": "Observation",
  "operation": "create",
  "validator": "PatientCompartment"
}

Requirements: The Observation body must include:

"subject": {
  "reference": "Patient/<patient_id>"
}

Otherwise, the request is denied.

FHIR References

Patient Compartment Definition:
FHIR R4 Patient Compartment (Official HL7 documentation).
Resource Examples:
- Observation.subject

Use Case: Patient Portal Integration

A diabetes management app uses this validator to let patients:

View glucose readings: Reads Observation resources with code.text = "Glucose" in their compartment.
Log exercise data: Creates Observation resources with subject set to their Patient ID.

Error Handling:

A patient trying to access another patient’s Procedure resource receives a 403 Forbidden response.

Intent​

Key Features​

Validation Logic​

Example Configurations​

1. Read Access to Lab Reports​

2. Create a Blood Pressure Observation​

FHIR References​

Use Case: Patient Portal Integration​