I have a requirement that the ‘physicians’ (actually speech-language pathologists) only see the patients that they are the provider for in the system. I know it is a big big project, but my wife needs it for her business. Each provider is a contractor, and really should only have read access to their patient demographics and see only their own patients on the calendar and flowboard. I started by looking at restricting the flowboard and calendar by customizing the code, but my research makes me think there should be a more universal solution.
Here are others asking about similar functionality:
https://sourceforge.net/p/openemr/discussion/202505/thread/bc25f527/
I think I can work the coding out, but I need some guidance and discussion on how to design the solution. I know this involves introducing new ACL categories and implementing checks where the data is accessed, but the design of those categories and underlying permissions is what I need help with, and need input from the development community.
There is an ACL category for Authorize My Encounters (auth) and Authorize Any Encounters (auth_a) that is indicated as unused on https://www.open-emr.org/wiki/index.php/Access_Controls_Listing#Encounter_Information_.28encounters.29
I think that following that convention would be good, but I don’t want to rewrite how the existing ACL categories are used across the entire system. Adding additional ones would seem to have a smaller chance of introducing errors.
I am thinking of something that is like this:
For listboxes and patient list:
Patients…View All
Patients…View Mine
Patients…Appointments
wsome_only_mine
write_only_mine
Patients…View Appointments (this would control in calendar and flowboard)
mine
all
Patients…Demographics
add_only_mine
write_only_mine
ANY_only_mine
as potiental return values
Does anyone have any ideas on how to structure this? What would some alternative ways to do this that would still maintain compatibility with the ACL and other features of the system?
Thanks,
Derek