Table of Contents | ||||
---|---|---|---|---|
minLevel | 1 | |||
Table of Contents | ||||
|
Purpose
This WS is designed to create approval on entity, which aggregate other entities (episode_of_care, diagnostic_report, care_plan), OR forbidden group OR diagnoses group, OR on service_request including it’s permitted_resources OR on cancel for encounter and procedure OR patient.
Approvals are processed in the async way
Only authenticated and authorized employees with appropriate scope can create approval.
Approvals with “write” access give “read” access by default. Employee with verified not expired approval with “write” access will be able to read data of specified in approval medical_event (if is possible according to ABAC-rules)
Specification
Page Properties | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Input parameters
Input parameter | Values | Type | Description | Example |
---|---|---|---|---|
patient_id | String | mpi_id. Required | aff00bf6-68bf-4b49-b66d-f031d48922b3 |
Request structure
See on Apiary
Example:
Expand | ||
---|---|---|
| ||
|
Authorize
Verify the validity of access token
in case of error - return 401 (“Invalid access token”) in case of validation fails
Verify that token is not expired
in case of error - return 401 (“Invalid access token”)
Check user scopes in order to perform this action (scope = 'approval:create ')
return 403 (“Your scope does not allow to access this resource. Missing allowances: approval:create ”) in case of invalid scope(s)
Headers
Наприклад:
Content-Type:application/json
Authorization:Bearer d368a4b0-4a0e-457a-b267-32359fa6288f
Request data validation
Validate user
Granted_to.employee_id should be active
in case of error - return 422 “Should be active“
Check if employee from the same legal entity as user:
client_id from token should be linked with employee_id from granted_to object.
in case of error - return 422 “Employee <employee_id> doesn't belong to your legal entity“
Check employee_type is from list of employee types configuration CREATE_APPROVAL_ALLOWED_EMPLOYEE_TYPES
in case of error - return 422 “Invalid employee type“
Validate resources or block of resources
Approvals are processed in the async way
Validate resources
...
|
Authorize
Verify the validity of access token
in case of error - return 401 (“Invalid access token”) in case of validation fails
Verify that token is not expired
in case of error - return 401 (“Invalid access token”)
Check user scopes in order to perform this action (scope = 'approval:create ')
return 403 (“Your scope does not allow to access this resource. Missing allowances: approval:create ”) in case of invalid scope(s)
Headers
Наприклад:
Content-Type:application/json
Authorization:Bearer d368a4b0-4a0e-457a-b267-32359fa6288f
Request data validation
Validate user
Granted_to.employee_id should be active
in case of error - return 422 “Should be active“
Check if employee from the same legal entity as user:
client_id from token should be linked with employee_id from granted_to object.
in case of error - return 422 “Employee <employee_id> doesn't belong to your legal entity“
Check employee_type is from list of employee types configuration CREATE_APPROVAL_ALLOWED_EMPLOYEE_TYPES
in case of error - return 422 “Invalid employee type“
Validate resources or block of resources
Approvals are processed in the async way
Validate resources
if episode_of_care is presented in request as the code of resource
Check episode_of_care in the request exists and is in active or closed status in DB
in case of error return - 422 (Episode is canceled)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
if diagnostic_report is presented in request as the code of resource
Check diagnostic_report block in the request exists and is in final status in DB
in case of error return - 422 (Diagnostic report in \"entered_in_error\" status can not be referenced or Diagnostic report with such id is not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
if care_plan is presented in request as the code of resource
Check episode_of_care in the request exists and is in active or closed status in DBCheck care_plan in the request exists in DB
in case of error return - 422 (Care plan with such id is not found)
Check there no other objects in request
in case of error return - 422 (Episode is canceledApproval for care plan can not contain other entities)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
if
access_level = 'write':
Check if care_plans.managing_organization = granted_to.employees.legal_entity_id:
in case of error return - 422 ('User is not allowed to write care plan from another legal_entity')
if encounter is presented in request as the code of resource
Check diagnostic_report blockCheck encounter in the request exists and is in final status in exists in DB
in case of error return - 422 (Diagnostic report in \"entered_in_error\" status can not be referenced or Diagnostic report with such id is not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
if care_plan is presented in request as the code of resource
Check care_plan in the request exists in DBCheck is status of episode from encounter = 'active'
in case of error return - 422 (Care plan with such id is not found)
"Encounter refers to episode that is not active")
Validate episode related to the encounter:
exists
in case of error - return
422 (
'Encounter refers to episode that does not exist')
is “active” or “closed”
in case of error - return
422 (
if access_level = 'write':
- Check if care_plans.managing_organization = granted_to.employees.legal_entity_id:
'Encounter refers to episode that is not active or closed')
it’s managing organization matches with author’s legal entity (client_id)
in case of error - return - 422 ('User is not allowed to write care plan Encounter is from another legal _ entity')
Add label
if encounter is procedure is presented in request as the code of resource
Check encounter in Check procedure in the request exists in DB
in case of error return - 422 (not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Check is status of episode from encounter = 'active'
in case of error return - 422 ("Encounter refers to episode that is not active")
if procedure is if specimen is presented in request as the code of resource
Check procedure in the request exists in Check specimen in the request exists in DB and is notin “entered_in_error” status in DB
in case of error return - 422 (not foundInvalid specimen status)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Validate service_request
If service_request block is presented in request
Get Service_request details (only in active status)
use Response.permitted_resources as resources for approval(could be episode or diagnostic_report).
If resource from granted_to = 'legal_entity':
Check if status of legal_entity in (ACTIVE, SUSPENDED):
in case of error return - 422 (Legal entity should be active)
Validate forbidden_group
if forbidden_group block is presented in request
Check forbidden group in the request exists and is_active in DB
in case of error return - 404 (not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Validate diagnoses_group
if diagnoses_group block is presented in request
Check diagnoses_group in the request exists and is_active in DB
in case of error return - 404 (not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Validate service_group
if service_group block is presented in request
Check services_group in the request exists and is_active in DB
in case of error return - 404 (not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Validate patient
if patient block is presented in request
Get patient_id from URL:
Check person_id from the request equal to the patient_id from URL
in case of error return - 404 (“Approval for one patient can not be created in another patient’s context”)
exists and is_active in DB
in case of error return - 404 (Person is not found)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Validate block child_resource
if child_resource is not empty:
validate that access_level == read
in case of error return - 422 ("$.access_level. value is not allowed in enum")
check that $.child_resource.identifier.value context is equal to $.resource.identifier.value
in case of error return - 422 (Child resource context id is not equal to granted resource id)
validate that service_requests / forbidden_groups / diagnoses_group / patients are not filled
in case of error return - 422 (schema does not allow additional properties)
validate that resources max items = 1
in case of error return - 422 ($.resources.expected a maximum of 1 items but got 2)
Check if resource from granted_to = 'employee':
in case of error return - 422 ("$.resource. value is not allowed in enum")
Validate person authentication_method
if resource = care_plan & care_plans.terms_of_service = 'INPATIENT'&granted_to.employees.legal_entity_id = care_plans.managing_organization:
skip validation of person authentication_method
set approvals.urgent = null
In other cases: Check patient_id:
if belongs to person, then GET auth_method from MPI using {patient_id}
If it's OTP:
send SMS to the auth_phone via otp_verification service POST /verifications
save approval to DB
save authentication_method_current.type and number to DB
return authentication_method_current.type = OTP
If it is offline
save approval to DB
save authentication_method_current.type and number to DB
return authentication_method_current.type = offline
if it is null:
return error 409 (Person does not have active authentication method)
if belongs to preperson:
save approval to DB
set approval status = active
set approval urgent = null
Validate access_level
Validate that access_level correspond to granted_resources:
In case error return 422 ("Resource types [\"$.granted_resources[].code\"] not allowed to use write access_level")
If employee_type of granted_to.identifier.value employee == ASSISTANT:
Check that access_level == ‘read’:
In case error return 422 ("Role ASSISTANT is not allowed to use write access_level for approval")
block | granted_resources | context | access_level | access to | reason |
---|---|---|---|---|---|
resources | episode_of_care | read | Reading all the data of specified in approval episode | null or child_resource | |
diagnostic_report | read | Reading all the data of specified in approval diagnostic report | null | ||
diagnostic_report | write | Canceling diagnostic report package | |||
care_plan | read | Reading all the data of specified in approval care plan | null | ||
care_plan | write | Creating activities for care plan, cancelling medication requests or recalling/cancelling service requests based on care plan | |||
encounter | write | Canceling encounter data package | null | ||
procedure | write | Canceling procedure | |||
nullspecimen | write | Canceling specimen | |||
child_resources | diagnostic_report | episode_of_care | read | Reading all the data of specified in context for diagnostic_report | null |
encounter | episode_of_care | Reading all the data of specified in context for encounter | null | ||
condition | episode_of_care | Reading all the data of specified in context for condition | null | ||
observation | episode_of_care diagnostic_report | Reading all the data of specified in context for observation | null | ||
activity | care_plan | Reading all the data of specified in context for activity | null | ||
clinical_impression | episode_of_care | Reading all the data of specified in context for clinical_impression | null | ||
allergy_intolerance | episode_of_care | Reading all the data of specified in context for allergy_intolerance | null | ||
immunization | episode_of_care | Reading all the data of specified in context for immunization | null | ||
device | episode_of_care | Reading all the data of specified in context for device | null | ||
risk_assessment | episode_of_care | Reading all the data of specified in context for risk_assessment | null | ||
procedure | episode_of_care | Reading all the data of specified in context for procedure | null | ||
service_request | episode_of_care | read | Reading data from granted_resources in approval service request | service_request | |
diagnostic_report | read | ||||
forbidden_group | forbidden_group | read | Reading all the medical events with items (codes/services/service_groups) of specified in approval forbidden groups | null | |
diagnoses_group | episode_of_care array | read | Reading all data of episodes with current_diagnoses.codes that specified in approval diagnoses group | null | |
services_group | diagnostic_reports and procedures array | read | Reading all data of diagnostic reports and procedures with code.identifier.value that specified in approval service group | null | |
patient_id | patient_id | read | Reading all the data of specified patient | null |
Validate authorize_with
The patient can pass the id of his auth_method which he wants to confirm the approval. The necessary auth method can be found by making Get person's auth methods
...
If approval doesn't have this field, then choose that method which is returned from mpi as person's default method.
Processing
Service logic
Set is_verified = false
All the approvals where is_verified = false should be deleted 12 hours after creation - env. configuration parameter
All approvals depends on value of granted_resources has its own expires_at config parameter - env. configuration parameter
Approvals with child_resources will be created ON entity which is context of this child_resources
For approvals on child_resource with resource and on service_request:
set child resource to block reason
set service_request to block reason
Check type of authentication_method for patient:
If type = 'OTP' send SMS type of granted_to & type of entity in granted_resources:
granted_to | block | granted_resources | Sms | |
items with FG | w\o items with FG | |||
employee | resources | episode_of_care | Код <code> для доступу до даних про <forbidden_groups.short_name> <forbidden_groups.sms_url>
If there are codes from more than 1 group:
Код <code> для доступу до даних про ВІЛ, | Код авторизації дій в системі eHealth: <code> |
diagnostic_report | ||||
care_plan | ||||
encounter | ||||
procedure | ||||
specimen | ||||
child_resources | diagnostic_report | |||
encounter | ||||
condition | ||||
observation | ||||
activity | ||||
clinical_impression | ||||
allergy_intolerance | ||||
immunization | ||||
device | ||||
risk_assessment | ||||
procedure | ||||
service_request | episode_of_care | |||
diagnostic_report | ||||
forbidden_group | forbidden_group | -(only with FG) | ||
diagnoses_group | diagnoses_group | ICD10: Код <code>: доступ на групу діагнозів {diagnoses_group_code} http://bit.ly/nszu1677b ICPC2: Код <code>: доступ на групу діагнозів {diagnoses_group_code} http://bit.ly/nszu1677e | ||
services_group |
| Код ****: доступ на групу сервісів {service_group_code} http://bit.ly/nszu1677e | ||
patient_id | patient_id | Код авторизації дій в системі eHealth: <code> | ||
granted_to | block | granted_resources | Sms | |
items with FG | w\o items with FG | |||
legal_entity | service_request | episode_of_care | -(only w/o FG) | Код <code>: згода на обробку персональних даних https://bit.ly/nszu1677i) |
diagnostic_report |
Response structure
See on Apiary
Example:
Expand | ||
---|---|---|
| ||
|
Expand | ||
---|---|---|
| ||
|
HTTP status codes
Page Properties | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...