How to check access based on both userId and dataId using the Google Healthcare Consent API?

Users can add other users to their careteam and assign a role to each member of their careteam. When accessing the profile of another user, the system should check if the user gave consent to do this.

Question 1: How to check if user X gave consent to view the profile of user Y?

Question 2: Can Google Healthcare Consent API handle this?

Question 3: Does it make sense to use Google Healthcare Consent API for this?

Current concept

Example use case: Grandma is the patient and Alice is taking care of her in a "doctor" context.

In the current setup, there is a dataMapping for each careteam member:

{
  userId: 'id_of_alice',
  dataId: 'users/id_of_grandma/profile',
  resourceAttributes: [
    {
      attributeDefinitionId: 'careteam',
      values: ['doctor']
    }
  ]
}

I used two methods to check if Alice has access to Grandma's profile:

checkDataAccess

This method takes a dataId as input and returns true if consent was given to ANY user. That's not very useful... Should I lookup the userId on my side and pass the role in requestAttributes? (What does the Consent API offer then?)

evaluateUserConsents

This method takes a userId as input and returns all consented dataIds. This does not seem scalable. A doctor may have access to thousands of patients.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum