Restricting patient data visibility by HCLS location

VanessaCameron · ‎09-09-2025

Hi everyone,

We use Healthcare & Life Sciences (HCLS) and are looking for best practices around controlling patient data visibility based on Healthcare Locations.

Our goal is for staff to only see patient records linked to their assigned Healthcare Location. Right now, our thought is to use Healthcare Locations to tag patient records and users, then leverage User Criteria to dynamically control access at the table or record level. We are trying to avoid heavy ACL use.

For those who have implemented HCLS/or know the product, does this align with best practice? Are there any compliance or performance considerations we should be aware of before continuing down this route?

Thanks in advance for your insights!
— Vanessa Cameron, Peke Waihanga - Artificial Limb & Orthotic Service

RobertW84098177 · ‎10-01-2025

I had a successful use case for visiting physicians that might be of value. This entire process was initiated by filling out a form delivered by text or email or from a web experience that a physician could easily navigate to. The physician would fill out a form that would grab their device's MAC address. Unless the physician was within wireless network range, in a certain time window and on the specific device they used for the access request they would be data restricted. We configured a reusable API with the ServiceNow team that we used for other use cases. Doctors loved how easy we made their access to EPIC for a single day or for their regular work use. Happy to share other stories and insights.

VanessaCameron · ‎10-01-2025

Thanks Robert, this is interesting. I've been trying to figure out if we could apply any of your approach to our use case : ) I haven't managed to think that through yet. Although our subcontractors are contractors, they will be long term working in our SN system. Is the service you describe a hospital type setting.... Thanks for your input, look forward to hearing more.

RobertW84098177 · 2 weeks ago

This strategy was used at Sandia National Labs where the US maintains its nuke stockpiles and at many hospital organizations managed by a Managed Service Provider that along with 20 other entities served Detroit Medical Center.