Products & scopes
Rail lets you request exactly the data your application needs — nothing more. You ask for products; the patient sees and approves scopes.
Products
A product is a coarse, easy-to-request bundle of data. You enable products when you create a connect session:
{ "products": ["clinical", "labs", "medications"] }
| Product | What you get |
|---|---|
clinical | Conditions, allergies, immunizations, procedures, encounters, vital signs |
labs | Lab results and diagnostic reports, with reference ranges |
medications | Prescriptions, dispenses, and reported medications |
claims | Insurance claims (explanation of benefits) and coverage |
documents | Clinical notes and documents |
Everything is returned as profiled FHIR R4 (US Core for clinical data, CARIN Blue Button for claims), so the shapes and code systems are predictable.
Derived products
Beyond raw data, Rail can compute higher-level products on top of the record:
| Product | What it is |
|---|---|
summary | A concise longitudinal overview of the patient |
care_gaps | Detected gaps in recommended care |
Derived products are computed from the underlying data and always cite the resources they were drawn from, so you can trace every conclusion back to its evidence.
Scopes
Under the hood, each product expands into fine-grained scopes — the units the patient actually sees and approves in Rail Connect. Scopes use the standard SMART on FHIR v2 format:
patient/Condition.rs
patient/Observation.rs?category=laboratory
patient/MedicationRequest.rs
This is why a product like labs requests lab results specifically, and not, say,
vital signs — even though both are FHIR Observations. The patient's consent is
described precisely, and the token you receive enforces it on every read.
When you exchange a public token, the response tells you exactly what was granted:
{
"granted_scopes": [
"patient/Condition.rs",
"patient/Observation.rs?category=laboratory",
"patient/MedicationRequest.rs"
]
}
Access is enforced, never silent
A patient access token can only read what it was granted. If you request a resource type outside the grant, Rail returns an explicit error rather than an empty result, so a missing scope is never mistaken for missing data:
// GET .../resources/Condition with a labs-only token →
{ "error": { "type": "consent_error", "code": "scope_not_granted", "message": "…" } }
Next: Consent & sensitive data covers how patients control sharing and how specially protected data is handled.