---
{
  "title": "Patient Data Access API: FHIR Implementer's Guide",
  "description": "What the Patient Data Access API is, how it relates to CMS rules, and how to implement it on a FHIR server like Aidbox — with code samples.",
  "date": "2025-04-11",
  "author": "Rostislav Antonov",
  "reading-time": "4 min",
  "tags": [
    "Integrations",
    "Compliance"
  ]
}
---
## What is a Patient Data Access API?

We often need to access data for a specific patient while ensuring that access is limited to them. This can be done by adding a patient reference search parameter to each request, but Aidbox [FHIR server takes](https://www.health-samurai.io/aidbox) another approach: it uses [SMART on FHIR](/blog/a-practical-guide-for-extending-emr-capabilities-with-smart-on-fhir-applications) scopes and patient context in the authorization token to restrict access to resources associated with the patient.

### Patient Access API: Implementation

To restrict access to a specific patient's data in Aidbox, the request must meet the following conditions:
- Authorization token must be valid JWT;
- This token must contain only patient-level scopes in “scope” claim;
- JWT token must contain patient ID in “context.patient” claim.

With this approach, you can be confident that you will not be able to retrieve data using the FHIR API for patients other than those specified in the context. An example of JWT token claims:


```javascript
{
...
  "atv": 2,
  "scope": "launch/patient openid fhirUser offline_access patient/*.cruds",
  "context": {
    "patient": "patient-id"
  }
...
}
```

See also: [Standardized API for EHRs Cheat Sheet](/blog/standardized-api-for-ehrs-cheat-sheet).
