Open joostholslag opened 4 months ago
SCP distinguishes between 2 roles: CarePlanService (CPS) and CarePlanContributor (CPC) (https://santeonnl.github.io/shared-care-planning/overview.html#actors). The CPC role differs between the 3 transactions
Creating and responding to a Task "This actor creates and updates the care plan and tasks/orders for other (future) Care Plan Contributors." We could say that only professionals with certain jobs/specialties/roles/professions are authorized to do this. This is not yet implemented.
Updating CarePlan and CareTeam "This actor creates and updates the care plan and tasks/orders for other (future) Care Plan Contributors." We could say that only professionals with certain jobs/specialties/roles/professions are authorized to do this. This is not yet implemented. We do say that only the CarePlan.author can delete a CarePlan. See https://santeonnl.github.io/shared-care-planning/security-authorization.html#resource-access. N.B.: CareTeam can never be directly updated by a CPC, this is done by the CPS
Getting data from CareTeam members "The CP-Contributor may also retrieve data from the other Care Plan Contributor(s)" We could say that jobs/specialties/roles/professions are a parameter for authorization, commonly referred to in other contexts as the "role-zib-matrix", meaning that some roles should only be able to access zibs a, b, c, and other roles should access a, b, c, d and e. This is not implemented in SCP. Our primary focus in authorization is: step 1 active membership of CareTeam, step 2 use case specific access rules based on Condition- and Request-code, see https://santeonnl.github.io/shared-care-planning/security-authorization.html#an-example-of-use-case-specific-access-rules.
Do you agree, @bramwesselo?
Thanks for the elaborate answers @jorritspee. My answer would be: every participant in the CareTeam is a contributor. At this moment, we've left the 'job title/specialty' out-of-scope, because that would require additional registration/standardization at all involved care organizations (imaging a care organization having a team of nurses and doctors that are jointly responsible for a Task; then you must either add all these roles in the CareTeam or define this team with a 'job title/specialty'. Changes are that this will get messy/complicated)
I think this deserves an answer in the IG, to make the scope clear (task assignment and authorisations right?), so not necessarily an overview of involved parties) and to avoid confusion.