HTTP 403 with error code 59203

[Nicolas Placide]

Hello everyone!

I am new to this group. I am writing a patient-facing app that will pull data from Epic, using SMART on FHIR R4 version. I am currently doing sandbox testing. The sandbox patients can authenticate through my app via OAuth, and the app subsequently receives a token from Epic, which is used for subsequent requests.

However, only two types of lab bundles come across:

(a) top-level Observations with codes like 4548-4/1558024 (hematocrit-style entries) that don't match my filters.

and (b) references to other Observation IDs. When I try to follow those references, Epic returns HTTP 403 with error code 59203 (“The authenticated user is blocked from performing the requested operation”).

In other words, the sandbox token doesn’t have permission to dereference the child Observation resources that actually carry the component results, so I never receive the hemoglobin/glucose/B12, Platelets, etc.. payloads.

At this point, I am fairly certain it's a data permission issue instead of a client bug. I have enabled Patient.Read(Demographics)(R4),  Patient.Search(Demographics)(R4), Observation.Read (Core Characteristics) (R4), Observation.Read (Labs) (R4), and pretty much anything having to do with Observation.Read or Observation.Search.

I have noticed that there is not a general permission for Patient.Read or Patient.Search for R4. Support from Epic has been non-responsive. I am stuck. Why is code 52903 being thrown? Are there other permissions I need? Is the sandbox client allowed to read the referenced observations? Some guidance would be very much appreciated.

Thanks!