Stay organized with collections
Save and categorize content based on your preferences.
FHIR access control is a comprehensive solution for managing access to
healthcare data in FHIR stores. It provides a granular level of control over
which users can access which resources, and what actions they can take on those
resources. FHIR access control helps to ensure that healthcare data is only
accessed by authorized users, and that it is used in a way that is consistent
with the intent of the data owner.
FHIR access control is built on the following principles:
Granularity: provides a fine-grained level of control over access to
data. This allows organizations to define access policies that are tailored
to their specific needs.
Flexibility: adapts to meet the changing needs of organizations. This
allows organizations to keep their access control policies up-to-date as
their data governance requirements evolve.
Scalability: provides an integrated and streamlined approach to managing
end-user consents. This provides built-in access enforcement for each EHR
operation with minimal overhead.
Compliance: conforms to the FHIR specification. This ensures that
organizations can use FHIR access control with any FHIR-compliant system.
FHIR access control addresses a wide range of data governance challenges, such
as the following:
Patient consent: enforces patient consent to use their healthcare data.
This ensures that patients are in control of how their data is used.
Data sharing: facilitates healthcare data sharing between organizations.
This improves the coordination of care and supports research.
Regulatory compliance: helps organizations comply with regulatory
requirements for the protection of healthcare data.
FHIR access control offers a number of benefits, including the following:
Improved data security: improves the security of healthcare data by
ensuring that only authorized users can access data.
Reduced risk of data breaches: reduces the risk of data breaches by
providing a centralized mechanism for data access management.
Improved compliance: helps organizations to comply with regulatory
requirements for the protection of healthcare data.
Increased patient trust: ensures patient trust by giving patients
control over how their data is used.
Authorities of consent
The following four main authorities are involved in consent:
Administrator authority: establishes the framework for consent
authority. They determine who can grant consent, what information must be
included in a consent agreement, and how consent agreements will be
enforced.
Grantor authority: an individual or organization that grants consent to
access data, such as a patient or an administrator. They can provide consent
agreements to grantees or delegate consent authority to others.
System authority: the ability to make authoritative assertions about the
identity, application use case, and environment of a grantee. This can be
used in a zero-trust
architecture
to verify that a grantee has the right to access data.
Grantee authority: an individual or organization that is granted consent
to access data, such as the EHR's accessor. They can provide information
about their role, purpose, and environment to help the system verify their
identity and authority.
The distribution of authority, the rules that govern them, and the evaluation of
data elements as part of matching policies with accessors are unique to consent
when compared to other forms of access control.
Comparison with other access control systems
FHIR access control allows fine grained resource level access control, whereas
Identity and Access Management (IAM) focuses on project, dataset and fhir store level
permissions.
SMART-on-FHIR
focuses on the use case of single authority with basic policies and request
attributes. While SMART-on-FHIR provides some level of granularity, it's limited
by single request attributes and cannot allow same level of fine-grained control
as FHIR access control. Full comparisons are listed in the following table.
Up to 200 administrator policies + 200 consents per patient
Up to 100
O(10)
Bounded by serving performance
Performance & Scalability
Supported
Not Supported
Supported
Not Supported
In-built EHR security
Supported
Not Supported
Supported
Not Supported
Concurrent permission change
Possible
Possible
Not Supported
Possible
Policy administration and audit
Supported
Not Supported
Not Supported
Supported
Multi-authority enablement: enable both administrators and patients,
within their boundary, to grant consents / enforce policies.
Multi-request attributes: represent grantee as a set of abstract actor,
purpose, and environment attributes for evaluation against consent policies.
Dynamic fine-grained resource attributes: allow applying policy
enforcement / granting consent to various data elements (e.g. resource type,
data source, data tag). Access can change in real time with data mutation.
Comprehensive overlapping policies: multiple consents can be enforced on
a single resource with comprehensive access determination rules.
Performance & Scalability: all EHR's operations (e.g.
patient-$everything, search) are performant with minimal overhead.
In-built EHR security: all EHR's operations are supported without the
need for additional configuration or customization.
Concurrent permission change: when there is a permission change,
existing issued credentials (e.g. access tokens) are subjected to the new
permission.
Policy administration and audit: allow administrators to draft and
update policies with audit trail and audit data accesses (e.g. who attempted
to access what data for which purpose in which environment).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eFHIR access control provides granular, flexible, and scalable management of healthcare data access within FHIR stores, ensuring only authorized users can access resources and perform specific actions.\u003c/p\u003e\n"],["\u003cp\u003eIt adheres to key principles such as granularity, flexibility, scalability, and compliance, allowing organizations to tailor access policies to their needs and to comply with the FHIR specifications.\u003c/p\u003e\n"],["\u003cp\u003eFHIR access control addresses critical data governance challenges, including patient consent enforcement, data sharing facilitation, and compliance with regulatory requirements for healthcare data protection.\u003c/p\u003e\n"],["\u003cp\u003eIt supports multi-authority enablement, multi-request attributes, dynamic resource attributes, and comprehensive overlapping policies, offering more advanced control than IAM and SMART-on-FHIR systems.\u003c/p\u003e\n"],["\u003cp\u003eFHIR access control offers enhanced security, reduced data breach risk, improved regulatory compliance, and increased patient trust by giving patients control over their data.\u003c/p\u003e\n"]]],[],null,["# Access control in FHIR\n\nFHIR access control is a comprehensive solution for managing access to\nhealthcare data in FHIR stores. It provides a granular level of control over\nwhich users can access which resources, and what actions they can take on those\nresources. FHIR access control helps to ensure that healthcare data is only\naccessed by authorized users, and that it is used in a way that is consistent\nwith the intent of the data owner.\n\nFHIR access control is built on the following principles:\n\n- **Granularity**: provides a fine-grained level of control over access to data. This allows organizations to define access policies that are tailored to their specific needs.\n- **Flexibility**: adapts to meet the changing needs of organizations. This allows organizations to keep their access control policies up-to-date as their data governance requirements evolve.\n- **Scalability**: provides an integrated and streamlined approach to managing end-user consents. This provides built-in access enforcement for each EHR operation with minimal overhead.\n- **Compliance**: conforms to the FHIR specification. This ensures that organizations can use FHIR access control with any FHIR-compliant system.\n\nFHIR access control addresses a wide range of data governance challenges, such\nas the following:\n\n- **Patient consent**: enforces patient consent to use their healthcare data. This ensures that patients are in control of how their data is used.\n- **Data sharing**: facilitates healthcare data sharing between organizations. This improves the coordination of care and supports research.\n- **Regulatory compliance**: helps organizations comply with regulatory requirements for the protection of healthcare data.\n\nFHIR access control offers a number of benefits, including the following:\n\n- **Improved data security**: improves the security of healthcare data by ensuring that only authorized users can access data.\n- **Reduced risk of data breaches**: reduces the risk of data breaches by providing a centralized mechanism for data access management.\n- **Improved compliance**: helps organizations to comply with regulatory requirements for the protection of healthcare data.\n- **Increased patient trust**: ensures patient trust by giving patients control over how their data is used.\n\nAuthorities of consent\n----------------------\n\nThe following four main authorities are involved in consent:\n\n- **Administrator authority**: establishes the framework for consent authority. They determine who can grant consent, what information must be included in a consent agreement, and how consent agreements will be enforced.\n- **Grantor authority**: an individual or organization that grants consent to access data, such as a patient or an administrator. They can provide consent agreements to grantees or delegate consent authority to others.\n- **System authority** : the ability to make authoritative assertions about the identity, application use case, and environment of a grantee. This can be used in a [zero-trust\n architecture](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf) to verify that a grantee has the right to access data.\n- **Grantee authority**: an individual or organization that is granted consent to access data, such as the EHR's accessor. They can provide information about their role, purpose, and environment to help the system verify their identity and authority.\n\nThe distribution of authority, the rules that govern them, and the evaluation of\ndata elements as part of matching policies with accessors are unique to consent\nwhen compared to other forms of access control.\n\nComparison with other access control systems\n--------------------------------------------\n\nFHIR access control allows fine grained resource level access control, whereas\nIdentity and Access Management (IAM) focuses on project, dataset and fhir store level\npermissions.\n[SMART-on-FHIR](https://hl7.org/fhir/smart-app-launch/2021May/)\nfocuses on the use case of single authority with basic policies and request\nattributes. While SMART-on-FHIR provides some level of granularity, it's limited\nby single request attributes and cannot allow same level of fine-grained control\nas FHIR access control. Full comparisons are listed in the following table.\n\n- **Multi-authority enablement**: enable both administrators and patients, within their boundary, to grant consents / enforce policies.\n- **Multi-request attributes**: represent grantee as a set of abstract actor, purpose, and environment attributes for evaluation against consent policies.\n- **Dynamic fine-grained resource attributes**: allow applying policy enforcement / granting consent to various data elements (e.g. resource type, data source, data tag). Access can change in real time with data mutation.\n- **Comprehensive overlapping policies**: multiple consents can be enforced on a single resource with comprehensive access determination rules.\n- **Performance \\& Scalability**: all EHR's operations (e.g. patient-$everything, search) are performant with minimal overhead.\n- **In-built EHR security**: all EHR's operations are supported without the need for additional configuration or customization.\n- **Concurrent permission change**: when there is a permission change, existing issued credentials (e.g. access tokens) are subjected to the new permission.\n- **Policy administration and audit**: allow administrators to draft and update policies with audit trail and audit data accesses (e.g. who attempted to access what data for which purpose in which environment).\n\nWhat's next\n-----------\n\n- [Learn about access data models and determination rules](/healthcare-api/docs/fhir-access-control-technical).\n- [Get started with using FHIR access control](/healthcare-api/docs/fhir-consent)."]]
