How cross-clinic consent works

A grant binds (recipient, source). To let Clinic A read records that Clinic B holds, the patient issues a single grant from B to A. If the patient is also a patient at Clinic C and wants A to see those records too, that's a second grant — from C to A. Adding a future Clinic D never silently widens an existing grant; the patient must opt in explicitly.

Each grant carries one or more scope codes that control what the recipient can read: records.read (basic identity, MRN, DOB), medical_history.read (blood type, allergies, conditions, emergency contact), appointments.read (appointment history at the source clinic), and progress_notes.read (clinical visit notes). The recipient sees only the scopes the patient picked.

Linking a tenant patient to a platform identity lets the patient see all their own records aggregated in their portal. It does NOT give any clinic access to records held elsewhere. Cross-clinic clinic-staff access stays gated by ConsentGrant. Two independent gates, intentionally so.