Creating a FHIR Subscription with AWS HealthLake - AWS HealthLake

Creating a FHIR Subscription with AWS HealthLake

The following guide shows you how to create a FHIR Subscription using AWS HealthLake.

To create a FHIR Subscription

  1. Create a SubscriptionTopic.

    Example Subscription Topic resource:

    {
  "resourceType": "SubscriptionTopic",
  "url": "http://example.org/FHIR/SubscriptionTopic/encounter-create",
  "version": "1.0.0-fhir.r4b",
  "title": "encounter-create",
  "status": "unknown",
  "description": "Example topic for new encounters",
  "resourceTrigger": [
    {
      "description": "Encounter Create",
      "resource": "Encounter",
      "supportedInteraction": ["create", "update"]
    }
  ]
}

  2. Prepare your notification endpoint (custom channel). The following steps are required steps to ensure the endpoint will receive notifications

    When using REST Hook

    • Trust events.amazonaws.com in your KMS key policy if using CM_CMK datastore.

    • If using a CM_CMK datastore, you must add the EventBridgeApiDestinations tag to your KMS key with the value of true

    • HealthLake uses OAuth to authenticate your REST Hook endpoint. Therefore, when creating a REST hook subscription, you must pass in a client-id, client-secret, and oAuth-endpoint-url in the channel._type.extension[*].

    Example KMS key policy if using CM_CMK datastore:

    {
  "Sid": "AllowEventBridgeToUseKMSKey",
  "Effect": "Allow",
  "Principal": {
    "Service": ["events.amazonaws.com", "healthlake.amazonaws.com"]
  },
  "Action": ["kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey"],
  "Resource": "*"
}

    When using EventBridge

    • Trust events.amazonaws.com in your KMS key policy if using CM_CMK datastore.

    • Verify your EventBridge resource policy trusts healthlake.amazonaws.com as service principal.

    • When using CM_CMK and EventBridge is the endpoint, verify that you are encrypting your EventBridge bus with the same KMS key as the datastore KMS key.

    • Verify that your EventBridge Bus has at least 1 rule that matches to events generated by HealthLake.

    Example resource policy for EventBridge channel bus:

    {
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "allowHealthlakeToPutEvents",
      "Effect": "Allow",
      "Principal": {
        "Service": "healthlake.amazonaws.com"
      },
      "Action": "events:PutEvents",
      "Resource": "arn:aws:healthlake:us-east-1:111122223333:event-bus/FhirSubscriptions-bus"
    }
  ]
  }

    Example EventBridge rule event-pattern to receive events from HealthLake:

    {
    "detail-type": ["FHIR Subscription Notification"],
    "source": ["healthlake"]
}
    Note

    HealthLake supports 2 sources:

    • “healthlake”: Only for Subscriptions.

    • “aws.healthlake”: To receive HealthLake service events.

    Use “healthlake” as the source when creating a rule for FHIR Subscriptions event buses.

  3. Create your Subscription

    Submit a Subscription resource with:

    • Status: "requested"

    • Reference to your chosen SubscriptionTopic id

    • Filter criteria. For more information, see Filtering Notifications for supported filters.

    • Channel configuration