Client Restrictions: Control and Audit Client Access

Healthie’s Client Restrictions feature adds an additional layer of access control to client data. When enabled, users who are not on a client's Care Team must enter a reason before viewing sensitive client information. This helps organizations monitor and deter unauthorized access, while maintaining an audit trail via reporting.

This permission can be coupled with several other administrator permissions that control which team members can access client information. Learn more about member permissions here.

In this article: 

Manage Member Permission to Restrict Clients

Once the Clients Restriction feature is enabled for your account, Organization owners can designate who has permission to restrict a client.

To enable this:

  1. Navigate to Organization > Members > Edit Setting > Permissions
  2. Under the Clients section, enable the Can restrict clients permission for selected users

This setting is also available within Permission Templates. If a user is assigned the Administrator role, this permission will be enabled by default. 

To enable this setting for your account, please reach out to hello@gethealthie.com 

Restrict Access to a Client

Users with the appropriate permission can restrict a client by:

  • Navigating to the client’s Personal Information page under Actions
  • Toggle on Restrict client access > Click Save

Once restricted, a lock icon will appear next to the client's name in the client list. To un-restrict a client, simply toggle the setting off and save again.

Accessing a Restricted Client 

When a user who is not part of the Care Team attempts to access a restricted client’s data, a modal will appear prompting them to enter a reason for access.

  • Once submitted, the application refreshes and access is granted
  • The access reason is logged and available in a report
  • If an expiration window (client_restriction_expiration_hours) is configured, users will be prompted to re-enter a reason after the set time period

Note: The access reason supports up to 500 characters. The reason expiration is set to 24 hours — so a provider will only need to provider a reason once daily.

Conduct an Audit for Clients with Restricted Asses

Organization administrators can view access logs by navigating to:

Reporting > Clients > Restricted Client Authorizations

  • The report defaults to the last 30 days, but the date range can be adjusted
  • Filter by provider or view data across the entire organization

This report shows which team members accessed a restricted client’s information during the selected timeframe, along with the reason they provided—supporting internal compliance and audit needs.

Additional Behavior for Restricted Clients

  • Users must enter a reason to chat with or schedule appointments for a restricted client
  • Users do not need to enter a reason to share documents or request form completion
  • Any Care Plan-related actions will require an access reason
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.