Access control is the ability to permit or deny the use of a particular resource by a particular entity. When applied to electronic medical records, access control defines the amount of electronic data the user is limited to within the system. It serves as a safety measure to keep various protected health information from individuals with different levels of access.
Controlling access to electronic data is often interchanged with providing user authorization and it can be divided into three categories: user-based, role-based and context-based access control.
Access control, as related to health information technology (HIT) systems, refers to the selective restriction of access to an organization’s information system and resources. Authentication and authorization are important facets of access control. Access to an information system is usually granted through the use of passwords or biometric identification. Even after a user is given access to an information system, the user may only be authorized or privileged to gain access to certain types of information relevant to his/her professional or assigned roles in the organization. For example, with regard to the use of HIT systems, authorization in many cases may be based on relationship of the caregiver or clinician (physician, nurse, pharmacist, radiologist, etc.) to the patient.