1 Purpose
2 Specification
3 Authorize
4 Validation of related entities
- 4.1 Validate user
- 4.2 Validate person authentication_method
5 Validation of the request
- 5.1 Validate resources or block of resources
  - 5.1.1 Validate resources
  - 5.1.2 Validate service_request
  - 5.1.3 Validate forbidden_group
  - 5.1.4 Validate diagnoses_group
  - 5.1.5 Validate service_group
  - 5.1.6 Validate patient
- 5.2 Validate block child_resource
- 5.3 Validate access_level
- 5.4 Validate authorize_with
6 Service logic

Purpose

This WS is designed to create approval on entity, which aggregate other entities (episode_of_care, diagnostic_report, care_plan), OR forbidden group OR diagnoses group, OR on service_request including it’s permitted_resources OR on cancel for encounter, specimen and procedure.
Approvals are processed in the async way
Only authenticated and authorized employees with appropriate scope can create approval.

Specification

API Create Approval

Authorize

Verify the validity of access token
1. in case of error - return 401 (“Invalid access token”) in case of validation fails
Verify that token is not expired
1. in case of error - return 401 (“Invalid access token”)
Check user scopes in order to perform this action (scope = 'approval:create ')
1. return 403 (“Your scope does not allow to access this resource. Missing allowances: approval:create ”) in case of invalid scope(s)

Validation of related entities

Validate user

Granted_to.employee_id should be active
1. in case of error - return 422 “Should be active“
If resource from granted_to != 'legal_entity':
1. Check if employee from the same legal entity as user:
  1. client_id from token should be linked with employee_id from granted_to object.
    1. in case of error - return 422 “Employee <employee_id> doesn't belong to your legal entity“

Validate person authentication_method

If resource = care_plan & care_plans.terms_of_service = ‘INPATIENT'&granted_to.employees.legal_entity_id = care_plans.managing_organization:
1. skip validation of person authentication_method
2. set approvals.urgent = null
In other cases:
1. Check patient_id:
  1. if belongs to person, then GET auth_method from MPI using {patient_id}
    1. If it's OTP:
      1. send SMS to the auth_phone via otpч_verification service POST /verifications
      2. save authentication_method_current.type and number to DB
      3. return authentication_method_current.type = OTP
    2. If it is offline
      1. save authentication_method_current.type and number to DB
      2. return authentication_method_current.type = offline
    3. if it is null:
      1. return error 409 (Person does not have active authentication method)
  2. if belongs to preperson:
    1. set approval urgent = null

Validation of the request

Validate resources or block of resources

Approvals are processed in the async way

Validate resources

if episode_of_care is presented in request as the code of resource
1. Check episode_of_care in the request exists and is in active or closed status in DB
  1. in case of error return - 422 (Episode is canceled)
2. Check if resource from granted_to = 'employee':
  1. in case of error return - 422 ("$.resource. value is not allowed in enum")
if diagnostic_report is presented in request as the code of resource
1. Check diagnostic_report block in the request exists and is in final status in DB
  1. in case of error return - 422 (Diagnostic report in \"entered_in_error\" status can not be referenced or Diagnostic report with such id is not found)
2. Check if resource from granted_to = 'employee':
  1. in case of error return - 422 ("$.resource. value is not allowed in enum")
if care_plan is presented in request as the code of resource
1. Check care_plan in the request exists in DB
  1. in case of error return - 422 (Care plan with such id is not found)
2. Check there no other objects in request
  1. in case of error return - 422 (Approval for care plan can not contain other entities)
3. Check if resource from granted_to = 'employee':
  1. in case of error return - 422 ("$.resource. value is not allowed in enum")
4. If access_level = 'write':
  1. Check if care_plans.managing_organization = granted_to.employees.legal_entity_id:
    1. in case of error return - 422 ('User is not allowed to write care plan from another legal_entity')
if encounter is presented in request as the code of resource
1. Check encounter in the request exists in DB and is not in “entered_in_error” status in DB
  1. (Encounter in \"entered_in_error\" status can not be referenced or Encounter with such id is not found)
2. Check if resource from granted_to = 'employee':
  1. in case of error return - 422 ("$.resource. value is not allowed in enum")
if procedure is presented in request as the code of resource
1. Check procedure in the request exists in DB and is not in “entered_in_error” status in DB
  1. in case of error return - 422 (Procedure in \"entered_in_error\" status can not be referenced)
2. Check if resource from granted_to = 'employee':
  1. in case of error return - 422 ("$.resource. value is not allowed in enum")
if specimen is presented in request as the code of resource
1. Check specimen in the request exists in DB and is not in “entered_in_error” status in DB
  1. in case of error return - 422 (Invalid specimen status)
2. Check if resource from granted_to = 'employee':
  1. in case of error return - 422 ("$.resource. value is not allowed in enum")

Validate service_request

If service_request block is presented in request
1. Get Service_request details (only in active status)
2. use Response.permitted_resources as resources for approval(could be episode or diagnostic_report).
If resource from granted_to = 'legal_entity':
1. Check if status of legal_entity in (ACTIVE, SUSPENDED, REORGANIZED):
  1. in case of error return - 422 (Legal entity should be active)

Validate forbidden_group

if forbidden_group block is presented in request
1. Check forbidden group in the request exists and is_active in DB
  1. in case of error return - 404 (not found)
Check if resource from granted_to = 'employee':
1. in case of error return - 422 ("$.resource. value is not allowed in enum")

Validate diagnoses_group

if diagnoses_group block is presented in request
1. Check diagnoses_group in the request exists and is_active in DB
  1. in case of error return - 404 (not found)
Check if resource from granted_to = 'employee':
1. in case of error return - 422 ("$.resource. value is not allowed in enum")

Validate service_group

if service_group block is presented in request
1. Check services_group in the request exists and is_active in DB
  1. in case of error return - 404 (not found)
Check if resource from granted_to = 'employee':
1. in case of error return - 422 ("$.resource. value is not allowed in enum")

Validate patient

if patient block is presented in request
1. Get patient_id from URL:
  1. Check person_id from the request equal to the patient_id from URL
    1. in case of error return - 404 (“Approval for one patient can not be created in another patient’s context”)
  2. exists and is_active in DB
    1. in case of error return - 404 (Person is not found)
Check if resource from granted_to = 'employee':
1. in case of error return - 422 ("$.resource. value is not allowed in enum")

Validate block child_resource

if child_resource is not empty:
1. validate that access_level == read
  1. in case of error return - 422 ("$.access_level. value is not allowed in enum")
2. check that $.child_resource.identifier.value context is equal to $.resource.identifier.value
  1. in case of error return - 422 (Child resource context id is not equal to granted resource id)
3. validate that service_requests / forbidden_groups / diagnoses_group / patients are not filled
  1. in case of error return - 422 (schema does not allow additional properties)
4. validate that resources max items = 1
  1. in case of error return - 422 ($.resources.expected a maximum of 1 items but got 2)
Check if resource from granted_to = 'employee':
1. in case of error return - 422 ("$.resource. value is not allowed in enum")

Validate access_level

Validate that access_level correspond to granted_resources:
1. In case error return 422 ("Resource types [\"$.granted_resources[].code\"] not allowed to use write access_level")
If employee_type of granted_to.identifier.value employee == ASSISTANT:
1. Check that access_level == ‘read’:
  1. In case error return 422 ("Role ASSISTANT is not allowed to use write access_level for approval")

block	granted_resources	context	access_level	access to	reason

block	granted_resources	context	access_level	access to	reason
resources	episode_of_care		read	Reading all the data of specified in approval episode	null or child_resource
	diagnostic_report		read	Reading all the data of specified in approval diagnostic report
	diagnostic_report		write	Canceling diagnostic report package
	care_plan		read	Reading all the data of specified in approval care plan
	care_plan		write	Creating activities for care plan, cancelling medication requests or recalling/cancelling service requests based on care plan
	encounter		write	Canceling encounter data package
	procedure		write	Canceling procedure
	specimen		write	Canceling specimen
child_resources	diagnostic_report	episode_of_care	read	Reading all the data of specified in context for diagnostic_report	null
	encounter	episode_of_care		Reading all the data of specified in context for encounter	null
	condition	episode_of_care		Reading all the data of specified in context for condition	null
	observation	episode_of_care diagnostic_report		Reading all the data of specified in context for observation	null
	activity	care_plan		Reading all the data of specified in context for activity	null
	clinical_impression	episode_of_care		Reading all the data of specified in context for clinical_impression	null
	allergy_intolerance	episode_of_care		Reading all the data of specified in context for allergy_intolerance	null
	immunization	episode_of_care		Reading all the data of specified in context for immunization	null
	device	episode_of_care		Reading all the data of specified in context for device	null
	risk_assessment	episode_of_care		Reading all the data of specified in context for risk_assessment	null
	procedure	episode_of_care		Reading all the data of specified in context for procedure	null
service_request	episode_of_care		read	Reading data from granted_resources in approval service request	service_request
service_request	diagnostic_report		read		service_request
forbidden_group	forbidden_group		read	Reading all the medical events with items (codes/services/service_groups) of specified in approval forbidden groups	null
diagnoses_group	diagnoses_group		read	Reading short data of episodes with current_diagnoses.codes that specified in approval diagnoses group	null
services_group	diagnostic_reports and procedures array		read	Reading all data of diagnostic reports and procedures with code.identifier.value that specified in approval service group	null
patient_id	patient_id		read	Reading all the data of specified patient	null

Validate authorize_with

The patient can pass the id of his auth_method which he wants to confirm the approval. The necessary auth method can be found by making Get person's auth methods

validate auth_method.id is UUID
1. in case error return 422
search auth method in MPI.person_authentication_method
1. in case error return 422, "such authentication method doesn't exist"
search auth method of this patient where MPI.person_authentication_method.person_id = $.patient.id
1. in case error return 422, "such authentication method does not belong to this person"
validate if auth_method.type = NA
1. error return 422, "Сannot be confirmed by a method with type= NA. Use a different method."
validate that this method is active ( authentication_method.ended_at > now() and is_active = true)

This field is optional and set in new field authorize_with and save type and phone_number in approvals.urgent.authentication_method_current.

If approval doesn't have this field, then choose that method which is returned from mpi as person's default method.

Service logic

Set is_verified value to:
1. false if patient is person.
2. true if patient is preperson.
All the approvals where is_verified = false should be deleted 12 hours after creation - env. configuration parameter
All approvals depends on value of granted_resources has its own expires_at config parameter - env. configuration parameter
Approvals with child_resources will be created ON entity which is context of this child_resources
For approvals on child_resource with resource and on service_request:
1. set child resource to block reason
2. set service_request to block reason
Check type of authentication_method for patient:
1. If type = 'OTP' send SMS type of granted_to & type of entity in granted_resources:

granted_to	block	granted_resources	Sms
			items with FG	w\o items with FG
employee	resources	episode_of_care	Код <code> для доступу до даних про <forbidden_groups.short_name> <forbidden_groups.sms_url> If there are codes from more than 1 group: Код <code> для доступу до даних про ВІЛ,РПП https://bit.ly/nszu1677f	Код авторизації дій в системі eHealth: <code>
		diagnostic_report
		care_plan
		encounter
		procedure
		specimen
	child_resources	diagnostic_report
		encounter
		condition
		observation
		activity
		clinical_impression
		allergy_intolerance
		immunization
		device
		risk_assessment
		procedure
	service_request	episode_of_care
		diagnostic_report
	forbidden_group	forbidden_group		-(only with FG)
	diagnoses_group	diagnoses_group		ICD10: Код <code>: доступ на групу діагнозів {diagnoses_group_code} http://bit.ly/nszu1677b ICPC2: Код <code>: доступ на групу діагнозів {diagnoses_group_code} http://bit.ly/nszu1677e
	services_group	diagnostic_reports and procedures array		Код ****: доступ на групу сервісів {service_group_code} http://bit.ly/nszu1677e
	patient_id	patient_id		Код авторизації дій в системі eHealth: <code>
granted_to	block	granted_resources	Sms
			items with FG	w\o items with FG
legal_entity	service_request	episode_of_care	-(only w/o FG)	Код <code>: згода на обробку персональних даних https://bit.ly/nszu1677i)
		diagnostic_report

E-Health

RC._Create Approval_EN