Documentation Critical Health Information API

Here you can find documentation on how to get started using the critical-information-API.

Intro to the API

The API is a FHIR facade that supports CRUD operations on the FHIR profiles defined for Norwegian critical health information types. It is a national solution for healthcare professionals to get and update summary card information for a patient. Kjernejournal healthcare portal also use this API. Inhabitants has read access to the information from Helsenorge.no.

Getting stared

Authentication and authorization with HelseID - see Authorization.

For test-environments see environments.

API methods

Se supported methods here.

FHIR-profiles

Documentation about FHIR-profiles.

Status endpoint

The status endpoint returns information if the patient has registered critical health information or not, and timestamp when the information was last changed. See status-endpoint.

Note:
We expect clients to always request the status-endpoint first to see whether the patient has set restriction or is blocked.

Security

We do our best to keep the data we receive clean from malicious content to avoid potentially sending malicious content back to the clients which read the data. However this is not a failsafe approach so we expect the clients to always validate and clean data for any malicious content before sending it to the API. If we detect malicious content the request will be rejected. A good starting point is to follow the OWASP guidelines and the HelseID checklist for securing APIs.

Also note that we expect that the main defense against security breaches caused by malicious content should be implemented by every client in the application layer by using good practices like e.g. proper html escaping or using prepared statements in the database.