How should you handle a request to give a clinician access to data outside their role?

• A. Grant full access without justification.
• B. Change access via user request without governance.
• C. Evaluate need, apply the least-privilege principle, justify, approve through security governance, and log changes.
• D. Ignore changes to log.

Answer: (C)

Access should be controlled by need-to-know and least privilege, with documented approval and an auditable trail. When a clinician requests data outside their role, start by assessing whether there is a legitimate need for that specific data. If there is, grant only the minimum access required to complete the task, never full access. The request must be justified and approved through security governance before any changes are made, and the change should be logged to create an clear audit record of who, what, and when. This approach protects patient privacy, supports regulatory compliance, and maintains data integrity. Granting full access without justification, making changes without governance, or ignoring logging all undermine security, accountability, and traceability.