Skip to main content

ADR-0045: Cross-tenant medication routing (EHR tenant → pharmacy tenant)

Status: Proposed
Date: 2026-04-04
Deciders: Platform / Ghasi e-prescribing gateway module owners, security, product
Related: ADR-0044 (decision point 4), ADR-0043, specs/modules/ghasi-e-prescribing-gateway/SPEC.md

Context

ADR-0044 states that multi-tenant routing (EHR tenant A → pharmacy tenant B) is a later iteration. MVP contract tests and runtime behaviour target same-tenant prescriber and pharmacy clients. Before pilots that cross tenant boundaries, product and security need explicit rules so routing, audit, and visibility remain defensible.

Decision

  1. MVP default: Same-tenant only for MedicationRequest / MedicationDispense interop through e-prescribing-gateway. Cross-tenant behaviour is off unless a feature flag (e.g. GHASI_EPGW_CROSS_TENANT_ROUTING) and this ADR’s follow-on rules are enforced in code and configuration.

  2. When cross-tenant is enabled (pilots only):

    • Routing: Target pharmacy (or chain) MUST be resolved from authoritative directory data (Organization / Endpoint or equivalent) with explicit linkage to the prescription; no “guess from extension only” for cross-tenant targets.
    • Audit: Every cross-tenant read or write at the gateway MUST emit audit events with both tenant IDs (source EHR tenant, destination pharmacy tenant), actor, correlation ID, and resource identifiers.
    • Visibility: Pharmacy-side read/search MUST be scoped so a tenant sees only rows their policy allows; break-glass access (if any) is a separate product decision, logged and time-bound.

  3. SPEC / ADR alignment: Amend SPEC.md FR-RX-008 and routing sections when the first pilot is scheduled; do not rely on this ADR alone for operational runbooks.

  4. Same-tenant regression: Until cross-tenant is generally available, production configurations SHOULD keep the feature flag disabled and tests SHOULD assert tenant isolation on URL/body parameters (see implementation checklist).

Consequences

  • Positive: Clear bar for pilots; avoids silent cross-tenant leakage; aligns with ADR-0044 “extended routing later.”
  • Negative: Product must fund directory depth and policy work before cross-tenant UX is real; not a small flag flip alone.

Compliance

This ADR satisfies the plan item “ADR or SPEC amendment for cross-tenant pilots” and should be Accepted before enabling cross-tenant routing in any shared environment.