Role-Based Access, sometimes called Role-Based Access Control (RBAC), is one way organizations can limit access to confidential health information as required by HIPAA. It was described by Ferraiolo, Gugini, and Kuhn in 1995(1), to ensure access assigned by roles. In such a lattice framework, each user new to the system is assigned a generic role, to which is assigned certain access to the system. For example, an individual assigned in an electronic health record as a pharmacist can view medications, alerts, dispense medications, but cannot prescribe. Such assigned user roles can change when appropriate. For example, when an individual moves from the status of a medical student to a physician, his user category is re-assigned, and he can then prescribe medications without a co-signature. In many electronic medical records applications, the category physician is allowed to view and chart on any patient, not just his own, in order to allow emergency access. This obviously must be combined with a robust monitoring system to ensure that physicians are not accessing records to which they have no justifiable reason to access, i.e. a treating relationship.
Role Based access: Role-Based Access Control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.
(1)Ferraiolo DF, Dugini JA, Tuhn DR. Role-Based Access Control (RBAC): Features and Motivations. Proceedings of the 11th Annual Computer Security Applications Conference, New Orleans, December 11-15, 1995, pp. 241-48.