2 Manage access to patient or subject records and PII

In this chapter you will learn to:

Use data access policies

Use data access policies to control users' access to patient and subject data in several ways:

• Control access to Personally Identifiable Information (PII) attributes. Create data access policies that specify which Personally Identifiable Information (PII) attributes are visible for subjects in a particular study or patients in a particular patient group, to users assigned to the configuration. PII attributes that are not visible are obfuscated (masking values are displayed).

  This functionality is always enabled so that anyone needing access to PII data must be assigned to a data access policy that grants the required access.

• Control access to non-PII subject or patient information by enabling row-level filtering. This setting applies across all studies and patient groups.
  • If disabled (the default state), users can see all non-PII subject or patient data in any study or patient group.
  • If enabled, only users assigned to a data access policy that allows access to a study or patient group can see any non-PII subject or patient data in the study or patient group.
• Allow access to all data by assigning a user to a global configuration that allows access to all subject and patient data, including PII data, in all studies and patient groups.
• Control access to omics data stored in the Omics Data Bank Schema. Create data access policies containing attributes at the patient level that control whether the all patient omics results can be seen by users or not. The same model applies at a subject level. Data access policies can be created through patient groups for patients and through studies for subjects.

  Moreover, an expiration date is introduced for the omics access attribute. Once the expiration date has passed, all access restrictions are removed automatically.

If a user has access to the same study or patient group through multiple data access policies, if any of the data access policies permits access to a particular subject or patient's data, it is visible to the user.

Note:

In previous versions of Oracle Healthcare Translational Research, data access policies were called VPD configurations.

For more informatin, see:

• Create a data access policy
  
• Assign a user to a data access policy
  
• Deactivate a data access policy
  
• Limit access to non-PII data in patient and subject records
  
• Grant access to all subject and patient data
  
• Attribute groups
  
• Import subject and patient data to the Cohort Data Model
  
• Import omics reference and result data to the Omics Data Bank
  
• Read some use cases for more context