authorization build in model?

Read up on ActiveRecord with_scope - you might want to do something like this:

Patient.with_scope(
:find=>{:conditions=>[''groups.user_id=?",User.current_user],
:include=>[:groups]} ) do
  Patient.find(:all, :conditions=><other conditions for patient go here>, ...)
end

This is a really nicely structured way of separating the authorisation
concern from the actual query.

Note that you could also include the user table:
:include=>{:groups=>:user} and then use users.user_id in the
condition.

Cheers,
Max