Users can add other users to their careteam and assign a role to each member of their careteam. When accessing the profile of another user, the system should check if the user gave consent to do this.
Question 1: How to check if user X gave consent to view the profile of user Y?
Question 2: Can Google Healthcare Consent API handle this?
Question 3: Does it make sense to use Google Healthcare Consent API for this?
Current concept
Example use case: Grandma is the patient and Alice is taking care of her in a "doctor" context.
In the current setup, there is a dataMapping for each careteam member:
{
userId: 'id_of_alice',
dataId: 'users/id_of_grandma/profile',
resourceAttributes: [
{
attributeDefinitionId: 'careteam',
values: ['doctor']
}
]
}
I used two methods to check if Alice has access to Grandma's profile:
checkDataAccess
This method takes a dataId
as input and returns true if consent was given to ANY user.
That's not very useful... Should I lookup the userId on my side and pass the role in requestAttributes
? (What does the Consent API offer then?)
evaluateUserConsents
This method takes a userId
as input and returns all consented dataIds. This does not seem scalable. A doctor may have access to thousands of patients.
According to the current documentation [1] it is not possible to check access based on both UserId and DataId. It is documented that each has its own process [2][3].
For your question #1 You would need to implement some sort of filtering in your application to be able to have what you are looking for.
For question #2 it seems that the Consent management API currently does not offer that functionality.
For your question #3, the consent management API can help you to manage the access of the users by applying policies [4].
It is important to mention that the Consent Management API is still in beta [5] and new features could be included in the future.
[1]https://cloud.google.com/healthcare/docs/how-tos/consent-access-determination [2]https://cloud.google.com/healthcare/docs/how-tos/consent-access-determination#making_consent_access_determinations_for_specific_data_elements [3]https://cloud.google.com/healthcare/docs/how-tos/consent-access-determination#making_an_access_determination_for_all_consents_for_a_user [4]https://cloud.google.com/healthcare/docs/how-tos/consent-policies [5]https://cloud.google.com/healthcare/docs/release-notes#October_08_2020