guish access privileges among providers. Physicians approved for practice at an organization generally have access to any record they claim to need, without further review. At the paper record level, where records must be checked out of storage areas, the decision is generally made on the basis of the number of records requested. If a provider requests more than about three records at a time, questions are raised as to the purpose and authorization, with the implicit assumption that some research project is involved for which prior approval of an institutional review board is needed.
The committee found strong pressure from physicians at the sites visited not to distinguish record access privileges among in-house physicians based on any role-specific criteria. Their arguments included their already strong ethical training and commitment to maintaining patient privacy. In the small number of sites where role-based access controls were being instituted, strong pressures were felt in the workplace setting to broaden the access privileges for each role category because of providers' experiences with blocked access to portions of records that they felt they needed in the course of their work. Such difficulties might be overcome by allowing user-initiated overrides in exceptional cases, followed by audit to ensure that a legitimate need for the override existed. For example, an exceptional access might trigger an automatic e-mail notification to the physician of record and an entry noting the access placed in the patient's chart. In secondary use areas, such as insurance payers, the committee observed that such role-based access control was not questioned and was in more routine use.
Some sites allow broad access privileges for providers but make it clear that an audit trail (see below) is being kept of each access and that perceived inappropriate use will be questioned and follow-up sanctions applied. Evidence indicates that this kind of audit approach is effective as a deterrent for providers based on principles of ethics. No site questioned the need for emergency override for access to records, with provision for possible after-the-fact audit analysis. The committee found no evident use of strong authorization controls based on access control lists.
Other sites use a system that limits the databases and applications that can be accessed from particular locations. For example, workstations in the payroll department cannot access clinical databases even if the user has the appropriate (role-related) authorizations. Similarly, workstations in clinical settings may not access personnel files. Such restrictions must be viewed as a means of supplementing rather than supplanting access controls based on strong user authentication and need-to-know criteria. Location-based controls can help define the access perimeter of information systems by preventing any users lacking appropriate authorizations