App accesses clinical data via FHIR API

With a valid access token, the app can access protected EHR data by issuing a FHIR API call to the FHIR endpoint on the EHR's resource server. The request includes an Authorization header that presents the access_token as a "Bearer" token:

Authorization: Bearer {{access_token}}

(Note that in a real request, {{access_token}}is replaced with the actual token value.)

For example

With this response, the app knows which patient is in-context, and has an OAuth2 bearer-type access token that can be used to fetch clinical data:

GET https://ehr/fhir/Patient/123
Authorization: Bearer i8hweunweunweofiwweoijewiwe

{
  "resourceType": "Patient",
  "birthTime": ...
}

The EHR's FHIR resource server validates the access token and ensures that it has not expired and that its scope covers the requested FHIR resource. The resource server also validates that the aud parameter associated with the authorization (see above) matches the resource server's own FHIR endpoint. The method used by the EHR to validate the access token is beyond the scope of this specification but generally involves an interaction or coordination between the EHR’s resource server and the authorization server.

On occasion, an app may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server. The app SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft. The app SHOULD either ignore the reference, or initiate a new request for access to that resource.