EMR Permissions

It’s always interesting to talk with someone about the permissions they should set in their EMR. Pretty much every EMR that has any footprint has a broad set of permissions available to restrict the access of your end users. It can often be a pretty significant task to set all of these permissions. Thankfully, it’s a project that you do once and then don’t have to go again (except for maybe some minor changes). Also, many EMR vendors have good templates for giving you a starting point for permissions.

What usually happens is that users end up with ALL sorts of restrictions on user accounts. I can’t say this is such a bad thing. Users should only have access to the information and features they need for the job. However, in the application of this rule, people almost always go overboard. Shortly after an implementation, the permissions are eventually opened up.

Since this is bound to happen, it’s important to make this part of the EMR implementation plan. Don’t make your nursing staff beg you for access to something. Give them a way to ask for access without making them feel like they are doing something they shouldn’t. Instead, encourage them to ask you for access to things that would make their life easier. That doesn’t mean that you’ll always give access, but from what I’ve seen, most people don’t want more access than what they need.

Remember that the rule is that people should only have access to the information that they need. If they’re asking for access to certain information to make their (and often your) life easier, then they probably do need it and should have access.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • So true, so true. With web conversion I once ran into a situation where, in order to do my job, I had to email an administrator at another location for permission to a certain point in the system. After a while they finally opened up permission to everyone working on the project. While everyone doesn’t need everything, locking things down to the tightest possible level is often a mistake. Also, it’s best if there are admins in each employment group or area, a point person people can go to if they need access to part of the system. That way people don’t feel inhibited by having to make their request to the big bad IT or HR person.

  • Well designed systems of any kind, including EMRs, should use role based security. Systems that set security based on the individual aren’t, by definition, secure.

    Beyond that the system should allow a practitioner to restrict access by setting an additional password, etc., for example the result of HIV tests.

    More importantly, security has to be planned as part of implementation and not as an afterthought. This forces, with any luck, users to focus on who originates information, who can mod it and who can see it.

    Finally, if you have to set up one security system for your PM and another for your EMR, you need to rethink your approach to both.

Click here to post a comment