Overview

This web service (set of services) is designed to provide access to specific episode of care and all its child entities for those users who has appropriate privileges

User who has active declaration with patient is "authorized" to manage all patient's data (view history, add new medical events)
User with active approval to this episode can view episode details and its child entities

Specification

Service logic

Validate token

Verify the validity of access token
- Return 401 in case of validation fails
Verify that token is not expired
- in case of error - return 401

Validate scopes

Check user scopes in order to perform this action (scope = 'episode_of_care:read')
1. Return 403 in case of invalid scope(s)

Validate data consistency

Ensure that requested episode of care relates to requested patient
1. Return (404, 'not found') in case of error

Check user privileges

If ANY of this rules is met - user has privileges to access this data

Otherwise - access to this data is denied. Return (403, 'forbidden')

Rule 1: User who has active declaration with patient is "authorized" to manage all patient's data

If ANY employee related to this user in this legal entity has active declaration with this patient - it has the privileges to access this data

1. Get token metadata

Extract user_id, client_id, client_type

2. Determine the party_id associated with this user_id

SELECT pu.party_id
FROM party_users pu
WHERE pu.user_id = :user_id;

3. Determine employees related to this party_id in current MSP

SELECT e.id
FROM employees e
WHERE e.party_id = :party_id
AND e.legal_entity_id = :client_id;

4. Find patient declarations in this MSP

SELECT d.id
FROM declarations d
WHERE d.legal_entity_id = :client_id
AND d.employee_id IN (:employees)
AND d.status IN ('active', 'pending_verification')
AND d.person_id = :patient_id;

Rule 2: User with active approval to this episode can view episode details and its child entities

TBD

Get child entities through episode context