Skip to main content
Security Safeguards

Role-Based Access Control (RBAC)

Granting access to ePHI based on a user's job role rather than individually.

Role-Based Access Control (RBAC) is a model that grants permissions to ePHI according to a user's job role rather than assigning them individually.

RBAC is a practical way to implement HIPAA's minimum necessary standard and least privilege: defining roles such as "clinician," "billing," or "read-only support" keeps access aligned with what each job actually requires and makes access control easier to audit.