We’re running a test-case for multiple matches against the INT environment using parameters:
The response has status 200 with an OperationOutcome resource containing an issue with code
FHIR R4 search provides 2 alternative responses.
“If the search succeeds, the server SHALL return a 200 OK HTTP status code and the return content SHALL be a Bundle with type =
searchset containing the results of the search as a collection of zero or more resources in a defined order.”
“If the search fails (cannot be executed, not that there are no matches), the return value return value SHALL be a status code 4xx or 5xx with an OperationOutcome.”
We expected the OperationOutcome to be included as an entry of type
outcome in the Bundle.
Can I ask what level of access you’re using for these searches?
To potentially pre-empt the answer, if using Application-restricted access:
In this access mode, you only get a single matching patient record, and only if it’s a unique match.
This is documented on Personal Demographics Service - FHIR API - NHS Digital
We are indeed using Application-restricted access and are testing the case where there are multiple matches.
As this is a FHIR search, the API should respond with one of the combinations of HTTP status and FHIR resourcetype as outlined above (i.e. 200 Bundle | 4xx/5xx OperationOutcome). The PDS API documentation says the response will be “HTTP status: 200. A completed search. This might contain zero, one or many matching patients, or it might contain a ‘TOO_MANY_MATCHES’ error.” We therefore expected HTTP status 200 and a FHIR Bundle containing an OperationOutcome as an entry.
PDS API is responding with HTTP status 200 and a FHIR OperationOutcome. This is consistent with the PDS API documentation but isn’t consistent with FHIR (requiring workarounds to be applied in the client).
Is this as intended?
I get what you mean.
Wouldn’t it be better with a 422 and OperationOutcome?
The search has not been performed and 200 at a basic level indicates all is ok (but it isn’t)
I think a case can be made for both 200 and 4xx responses (e.g. 422) - either could be made to work.
As the search is a valid one that the server has processed (in order to determine that there are multiple matches) it seems a little harsh to class this as a Client Error. The only way a client application could avoid this error would be if it already had a priori information allowing it to uniquely identify a single individual within the UK!
From memory (when we designed this bit) we went back and forth on what response code to return. I was the product owner at the time and was a but uneasy about returning a 200 with an OperationOutcome but as you say it seemed the most appropriate response since the search had indeed been processed - 4xx typically implies some sort of mistake on the caller’s part, whereas in this scenario there’s nothing wrong with the request.
NHS API Management team let me know that there is currently no intention to change the API behaviour to conform to the FHIR standard.