Table of Contents |
---|
Rule base type | Description |
---|---|
Based on declaration | Employee with an active declaration can access all the patient's medical data (including person's/preperson's medical data which were merged with person with active declaration). |
Based on managing organization | Employee can read entities, created in his legal entity |
Based on context episode | Employee can read medical data, that was collected during an episode of care, that employee has access to. |
Based on diagnostic report | Employee can read medical data, that was collected as a part of a diagnostic report, managed by the employee's legal entity. |
Based on origin episode | Employee can read medical data, that was collected as a part of a diagnostic report or episode of care, that employee has access to. |
Based on care plan | Employee with active approval on the care plan can read or write the data based on this care plan |
Based on patient | Employee with active approval on the patient can read the data related to this patient (including person's/preperson's medical data which were merged with person ) |
...
Rule: @rule_-2 | Action: @read | (GraphQL only) | ||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic |
NHS employee can read patient’s data if he has Justification for monitoring
Given Justification Given Justification on monitoring patient's data given by the user (works only from Admin panel, graphql api) | Based on user token | episode | JustificationFilter schema | patient_id | person_id from JustificationFilter schema | There is an active token & an active justification |
encounter | ||||||
observation | ||||||
condition | ||||||
allergy_intolerance | ||||||
immunization | ||||||
risk_assessment | ||||||
device | ||||||
medication_statement | ||||||
medication_request | ||||||
medication_dispense | ||||||
service_request | ||||||
diagnostic_report | ||||||
procedure | ||||||
medication_administration | ||||||
care_plan | ||||||
activity |
...
Rule: @rule_-1 | Action: @read | ||||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | ||||
Employee can read insensitive patient’s data | Given User Given User access token with client_type not equal to cabinet | When I When I require read access | Then I Then I can read | Based on user token | allergy_intolerance | by id |
| There is an active token for client_type.name != CABINET | ||
immunization | ||||||||||
risk_assessment | ||||||||||
device | ||||||||||
medication_statement | ||||||||||
specimen |
Rule: @rule_0 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | |||
Patient can read it's own data | Given Patient Given Patient has access_token given by Cabinet | When I When I require read access | Then I Then I can read | Based on patient token | episode | by id | patient_id | patient_id from URL | There is an active token given by Cabinet to a patient |
encounter | |||||||||
observation | |||||||||
condition | |||||||||
allergy_intolerance | |||||||||
immunization | |||||||||
risk_assessment | |||||||||
device | |||||||||
medication_statement | |||||||||
service_request | |||||||||
diagnostic_report | |||||||||
procedure | |||||||||
medication_administration | |||||||||
care_plan | |||||||||
activity | |||||||||
clinical_impression | |||||||||
specimen |
Rule: @rule_1 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | |||
Employee with active declaration can read all patient data (including merged persons/prepersons data) | Given Active Given Active declaration with patientin the MSP from token And declaration from the same legal entity | When I When I require read access | Then I Then I can read | Based on declaration and user token | episode | by id | person_id | person_id from URL | There is an active declaration between the patient and the employee in OPS from the same legal entity from token |
by search params | |||||||||
encounter | by id | ||||||||
by search params | |||||||||
by id in episode context | |||||||||
by search params in episode context | |||||||||
observation | by id | ||||||||
by search params | |||||||||
by id in episode context | |||||||||
by search params in episode context | |||||||||
condition | by id | ||||||||
by search params | |||||||||
by id in episode context | |||||||||
by search params in episode context | |||||||||
service_request | by id | ||||||||
by search params | |||||||||
diagnostic_report | by id | ||||||||
by search params | |||||||||
procedure | by id | ||||||||
by search params | |||||||||
medication_administration | by id | ||||||||
by search params | |||||||||
care_plan | by id | ||||||||
by search params | |||||||||
activity | by id | ||||||||
by search params | |||||||||
approval | by id | ||||||||
by search params | |||||||||
clinical_impression | by id | ||||||||
by search params | |||||||||
medication_request_request & medication_request & | by id | ||||||||
by search paramsby search params | |||||||||
device_request | |||||||||
device_dispense | |||||||||
Rule: @rule_2 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | |||
Employee can read entity created in the employee's legal entity | Given Entity
| When I When I require read access | Then I Then I can read | Based on managing organization | service_request | by id | requester_legal_entity | DB.service_request.managing_organization | managing_organization==id |
by search param | search param {managing_organization} from URL | managing_organization (requester_legal_entity, )==token.client_id | |||||||
episode | by id | managing_organisation + patient_id | DB.episode.managing_organization OR DB.servicediagnostic_requestreport.managing_organization | managing_organization==id | |||||
by search param | search param {managingrequester_legal_organizationentity} from URL | managing_organization (requester_legal_entity, )==token.client_id | episode | by id | managing_organisation + patient_id | DB.episode.managing_organization OR DB.diagnostic_report.managing_organization | managing_organization | ||
care_plan | managing_organisation | DB.care_plan.managing_organization | managing_organization ==token.client_id | ||||||
activity | managing_organisation | DB.care_plan.managing_organization | managing_organization ==token.client_id | ||||||
search param {managing_organization_id} from URL | |||||||||
medication_request_request & medication_request & | by id | legal_entity + patient_id | search param {legal_entity_id} from URL | legal_entity_id==id | |||||
by search paramsearch param {requester_ | legal_entity} from URLmanaging_organization (requester_legal_entity, )_id==token.client_idcare | ||||||||
device_ | planrequest | by id | managing_organisation | DB.care_plan.managing_organization | managing_organization search params | requester_legal_entity | search param {requester_legal_entity} from URL | requester_legal_entity==token.client_id | activity|
by activity id | managing_organisationDB.caredevice_planrequests.managingrequester_legal_organizationentity | managingrequester_legal_ | organization entity==token.client_id | ||||||
device_dispenses | performer_legal_entity | search param {managingperformer_organizationlegal_identity} from URL | medicationperformer_ | request_request& medication_request &legal_entity==token.client_id | |||||
legal_entity + patient_id | search param {legal_entity_id} from URL | legal_entity_id==id | by search param | legal_entity_id(details in person context) | DB.device_requests.performer_legal_entity | performer_legal_entity==token.client_id |
Rule: @rule_3 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic | |||
Employee can read all the data of episodes created in the employee's legal entity | Given Episode Given Episode context has been created on my legal entity | When I When I require read access | Then I Then I can read | Based on context episode | encounter | by id | episode | DB.encounter.episode | episode.managing_organization==token.client_id |
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
observation | by id | episode | DB.observation.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
condition | by id | episode | DB.condition.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
service_request | by id | episode | DB.service_request.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
diagnostic_report | by id | episode | DB.diagnostic_report.encounter.episode | ||||||
by search params | context_episode_id from URL (path) | ||||||||
procedure | by id | episode | DB.procedures.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_administration | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
device | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
risk_assessment | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_statement | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
immunization | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
allergy_intolerance | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
allergy_intolerancemedication_request | by id | episode | DB.medication_request.context_episode_id | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_dispense | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_request_request | by id | episode | DB.medication_request_request.context_episode_id | ||||||
by search params | search param {episode_id} from URL | ||||||||
medicationclinical_dispenseimpression | by id | episode | DB.medicationclinical_requestimpression.context_episode_id | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_requestdevice_request | episode | search param {context_episode_id} from URL | episode.managing_organization==token.client_id | ||||||
DB.medication_request_request.device_requests.context_episode_id | device_requests.context_episode_id_id.managing_organization==token.client_id | ||||||||
device_dispense | episode | search param {context_episode_id} from URL | clinical_impressionepisode.managing_organization==token.client_id | ||||||
episode | DB.clinicaldevice_impressiondispenses.context_episode_id | by search params | search param {episode_id} from URLdevice_dispenses.context_episode_id.managing_organization==token.client_id |
Rule: @rule_4 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | |||
Employee with active approval can read all the data (including merged persons/prepersons data) of specified in approval patient | Given Active Given Active approval on patient | When I When I require read access | Then I Then I can read | Based on patient_id
| episode | patient_id
| patient_id from URL
| There is an active approval on patient’s data granted to the to the employee (one of user's employee) in MongoDB
| |
encounter | |||||||||
observation | |||||||||
condition | |||||||||
service_request | |||||||||
procedure | |||||||||
diagnostic_report | |||||||||
care_plan | |||||||||
activity | |||||||||
clinical_impression | by id | ||||||||
by search params | |||||||||
medication_request_request | by id | ||||||||
by search params | |||||||||
medication_request | by id | ||||||||
by search params | |||||||||
medication_dispensedispense | by id (details in person context) | ||||||||
by search params (by medication request id) | |||||||||
device_request | |||||||||
device_dispense | by search params (by medication request idin patient context | ||||||||
Rule: @rule_5 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic | |||
Employee with active approval or employees from legal_entity with active approval can read all the data of specified in approval episodes | Given Active Given Active approval on episode | When I When I require read access | Then I Then I can read | Based on context episode | episode | by id |
| There is an active approval on the episode granted to the employee (one of user's employee) OR to the legal_entity (one of legal_entity's employee) in MongoDB | |
encounter | by id | episode | DB.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
observation | by id | episode | DB.observation.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
condition | by id | episode | DB.condition.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
service request | by id | episode | DB.service_requset.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
by id in episode context | episode_id from URL (path) | ||||||||
by search params in episode context | |||||||||
diagnostic_report | by id | episode | DB.diagnostic_report.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_administration | by id | episode | IF context is encounter THEN: | ||||||
by search params | search param {episode_id} from URL | ||||||||
procedure | by id | episode | DB.procedures.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
medication_request & medication_dispense | by id | episode | DB.medication_request.context_episode_id | ||||||
by search params | search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter) | ||||||||
medication_request_request | by id | episode | DB.medication_request_request.context_episode_id | ||||||
by search params | search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter) | ||||||||
clinical_impression | by id | episode | DB.clinical_impression.context_episode_id | ||||||
by search params | search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter)with {encounter_id} search param for sort by encounter) | ||||||||
device_request | episode | search param {context_episode_id} from URL | |||||||
DB.device_requests.context_episode_id | |||||||||
device_dispense | episode | search param {context_episode_id} from URL | |||||||
DB.device_dispenses.context_episode_id |
Rule: @rule_6 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic | |||
Employee can read entity originated by episode created in the employee's legal entity | Given Entity Given Entity has been originated by mine legal entity episode | When I When I require read access | Then I Then I can read | Based on origin episode | encounter | by id | origin_episode | DB.encounter.origin_episode | origin_episode.managing_organization==token.client_id |
by search params | Search param {origin_episode_id} from URL | ||||||||
diagnostic repost | by id | origin_episode | DB.diagnostic_report.origin_episode | ||||||
by search params | Search param {origin_episode_id} from URL | ||||||||
procedures | by id | origin_episode | DB.procedures.encounter.episode | ||||||
by search params | search param {episode_id} from URL | ||||||||
device_dispense | origin_episode | Search param {origin | _episode_episode_id} from URL | ||||||
DB.procedures.encounter.episode | by search params | search param {episode_id} from URLdevice_dispense.origin_episode_id |
Rule: @rule_7 | Action: @read | ||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic |
Employee can read all the data of diagnostic report originated by episode created in the employee's legal entity Given Diagnostic Given Diagnostic report context has been originated by mine legal entity episode When I When I require read access Then I Then I can read | Based on origin episode | observation | by id | diagnostic_report | DB.observation.diagnostic_report.origin_episode | origin_episode.managing_organization==token.client_id |
by search params | Search param {diagnostic_report_id} from URL |
Rule: @rule_8 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic | |||
Employee can read all the data of encounter originated by episode created in the employee's legal entity | Given Encounter Given Encounter context has been originated by mine legal entity episode | When I When I require read access | Then I Then I can read | Based on origin episode | observation | by id | encounter | DB.observation.context.origin_episode | origin_episode.managing_organization==token.client_id |
by search params | Search param {encounter_id} from URL | ||||||||
condition | by id | encounter | DB.condition.context.origin_episode | ||||||
by search params | Search param {encounter_id} from URL | ||||||||
diagnostic_report | by id | encounter | DB.diagnostic_report.encounter.origin_episode | ||||||
by search params | Search param {encounter_id} from URL | ||||||||
medication_administration | by id | encounter | IF context is encounter THEN: | ||||||
by search params | search param {encounter_id} from URL | ||||||||
procedure | by id | encounter | DB.procedures.encounter.episode | ||||||
by search params | search param {encounter_id} from URL | ||||||||
|
|
|
| ||||||
|
| ||||||||
|
|
|
| ||||||
|
| ||||||||
device_dispense | search param by search params in patient context | encounter | Search param {encounter_id} from URL | ||||||
| DB.medicationdevice_request_request.context |
|
|
Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET | ||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic |
Employee with active approval can read data, originated by the episode Given Active Given Active approval on patient When I When I require read access Then I Then I can read |
| encounter |
|
|
|
|
| observation |
|
|
|
| |
| condition |
|
|
|
| |
| service_request |
|
|
|
| |
| diagnostic_report |
|
|
|
|
Rule: @rule_10 | Action: @read | ||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic |
Employee can read all the data of diagnostic report created in the employee's legal entity Given Diagnostic Given Diagnostic report context has been originated by mine legal entity When I When I require read access Then I Then I can read | Based on diagnostic report | observation | by id | diagnostic_report | DB.observation.diagnostic_report.managing_organization | diagnostic_report.managing_organization==token.client_id |
by search params | Search param {diagnostic_report_id} from URL |
Rule: @rule_11 | Action: @read | ||||||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic | ||||
Employee with active approval or employees from legal_entity with active approval can read all the data of specified in approval diagnostic report | Given Active Given Active approval on diagnostic report | When I When I require read access | Then I Then I can read | Based on diagnostic report | observationdiagnostic_report | by id | diagnostic_report | DB.observation.diagnostic_report.managing_organization | There is an active approval on the diagnostic report granted to the employee (one of user's employee) OR to the legal_entity (one of legal_entity's employee | ) in MongoDB) in MongoDB |
observation | by id | diagnostic_report | DB.observation.diagnostic_report.managing_organization | |||||||
by search params | Search param {diagnostic_report_id} from URL |
Rule: @rule_12 | Action: @read | |||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | |||
Employee with active approval can read the data associated with the care plan | Given Active Given Active approval on care_plan | When I When I require read access | Then I Then I can read | Based on care plan | care_plan | by id | care_plan + patient_id | DB.care_plan.id=approvals.granted_resources[].value | There is an active approval (access_level=read) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB |
activity | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | ||||||
by search params | |||||||||
medication_request_request | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | ||||||
by search params | |||||||||
medication_request | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | ||||||
by search params | |||||||||
medication_dispense | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | ||||||
by search params | |||||||||
device_request | by id | care_plan | DB.device_request.based_on.care_plan[].id=approvals.granted_resources[].value | ||||||
by search params | care_plan & patient_id from URL (path)=approvals.granted_resources[].value.care_plan |
Rule: @rule_13 | Action: @write | ||||||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic | ||||
Employee with active write approval can write the data associated with the care plan | Given Active Given Active write approval on care_plan | When I When I require write access | Then I Then I can write | Based on care plan | care_plan |
Cancel | care_plan | DB.care_plan.id=approvals.granted_resources[].value | There is an active approval (access_level=write) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB | |
Complete | ||||||||||
activity |
Prequalify |
care_plan_id from URL (path) =approvals.granted_resources[].value | ||||||||
Create | ||||||||||
Cancel | ||||||||||
Complete | ||||||||||
|
|
|
| |||||||
| ||||||||||
|
|
|
| |||||||
| ||||||||||
|
|
|
| |||||||
| ||||||||||
medicationdevice_dispenserequest | by id | care_plan + patient_id | DB.device_request.based_on.care_plan[].id=approvals.granted_resources[].value | |||||||
by search params | care_plan | _id & patient_id from URL (path) | ||||||||
| ||||||||||
=approvals.granted_resources[].value.care_plan |
Rule: @rule_14 | Action: @read | ||||||
Scenario: | Base | Resource | Routes | Context | Source of context | Logic |
Employee with active approval on the care plan can read the data based on this care plan |
Given Entity based on care_plan |
When I require read access |
Then I can read | Based on care plan | service_request | by id | care_plan (based_on) + patient_id | DB.service_request.based_on.care_plan[].id=approvals.granted_resources[].value | There is an active approval (access_level=read/ |
by search params | care_plan + patient_id | care_plan_id from URL (search param) & patient_id from path | ||||
encounter | by id | patient_id ->. care_plan (based_on service_request) | DB.encounter.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.diagnostic_report.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.procedure.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value | |||
diagnostic_report | by id | |||||
procedure | by id | |||||
device_dispense | care_plan (based_on device_request) | DB.device_dispense.based_on.device_request.based_on.care_plan[].id=approvals.granted_resources[].value |
Rule: @rule_15 | Action: @read | ||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic |
Employee with verified unexpired approval on procedure can read all the data of this procedure Given Active approval on procedure When I require read access Then I can read | Based on procedure | procedure | by id | procedure | DB.procedures._id | There is a verified unexpired approval on procedure granted to the employee (one of user's employee) in MongoDB |
Rule: @rule_16 | Action: @read | ||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic |
Rule: @rule_17 | Action: @read | ||||||
Scenario: | Base | Resource | Routes | Context* | Source of context | Logic |
Employee can read all the data associated with the care plan created in the employee's legal entity Given Care plan has been created on my legal entity When I require read access Then I can read
| Based on care plan | activity | care_plan+ patient_id | DB.activities.care_plan[].id | care_plan.managing_organization.id==token.client_id | |
care_plan_id from URL (search param) & patient_id from path | ||||||
medication_request_request |
| DB.medication_request_request.based_on.care_plan[].id | ||||
care_plan_id from URL (search param) & patient_id from path | ||||||
care_plan_id & person_id from URL (search param) | ||||||
medication_request | DB.medication_request.based_on.care_plan[].id | |||||
care_plan_id from URL (search param) & patient_id from path | ||||||
care_plan_id & person_id from URL (search param) | ||||||
service_request | DB.service_request.based_on.care_plan[].id | |||||
care_plan_id from URL (search param) & patient_id from path | ||||||
device_request | DB.device_request.based_on.care_plan[].id | |||||
care_plan_id from URL ('based_on' search param) & patient_id from path | ||||||
encounter | care_plan (based_on service_request)+ patient_id | DB.encounter.based_on.service_request.based_on.care_plan[].id | ||||
diagnostic_report | DB.diagnostic_report.based_on.service_request.based_on.care_plan[].id | |||||
procedure | DB.procedure.based_on.service_request.based_on.care_plan[].id | |||||
medication_dispense | care_plan (based_on medication_request)+ patient_id | DB.medication_dispense.based_on.medication_request.based_on_care_plan_id | ||||
device_dispense | care_plan (based_on device_request)+ patient_id | DB.device_dispense.based_on.device_request.based_on.care_plan[].id |
- all routes need to have patient_id in context as an additional parameter