diff --git a/care/emr/api/viewsets/allergy_intolerance.py b/care/emr/api/viewsets/allergy_intolerance.py
index d174fb5f4b..faeb1ee54e 100644
--- a/care/emr/api/viewsets/allergy_intolerance.py
+++ b/care/emr/api/viewsets/allergy_intolerance.py
@@ -67,6 +67,7 @@ def authorize_create(self, instance):
             "can_write_patient_obj", self.request.user, self.get_patient_obj()
         ):
             raise PermissionDenied("You do not have permission to update encounter")
+        # TODO If there is an encounter, check access to the encounter
 
     def get_queryset(self):
         if not AuthorizationController.call(
diff --git a/care/emr/api/viewsets/base.py b/care/emr/api/viewsets/base.py
index 97612d2bf9..37d765e5bf 100644
--- a/care/emr/api/viewsets/base.py
+++ b/care/emr/api/viewsets/base.py
@@ -131,7 +131,7 @@ def perform_update(self, instance):
             instance.save()
             if getattr(self, "CREATE_QUESTIONNAIRE_RESPONSE", False):
                 QuestionnaireResponse.objects.create(
-                    subject_id=self.fetch_patient_from_instance(instance),
+                    subject_id=self.fetch_patient_from_instance(instance).external_id,
                     patient=self.fetch_patient_from_instance(instance),
                     encounter=self.fetch_encounter_from_instance(instance),
                     structured_responses={