Protect Privacy in Health Cloud
- Explain the importance of access control for Health Cloud.
- Describe the Health Cloud profiles and permissions.
- List which fields Health Cloud users need access to.
The first thing Harryette wants to take care of, now that Health Cloud is installed, is patient privacy. She knows that safeguarding privacy is especially important when you’re working in healthcare. If information about personal health issues gets to people who aren’t required to know it, it can make a patient vulnerable to stigma, embarrassment, and even discrimination.
Harryette gives people access to specific things in Health Cloud by setting up user profiles and permissions. Her careful attention to access helps protect patients’ privacy and helps care workers be as effective as they can be. Without full trust in the privacy of their information, patients and their caregivers might not want to disclose sensitive information even to their physicians and case managers.
First, Harryette looks at her users’ profiles. She goes to Setup and searches for Profiles. She assigns the Standard Platform User profile to April Guthman, who manages patient care for Bloomington Caregivers. Now April can use the full range of Health Cloud functionality.
Leif Hansen, a patient manager with experience supporting patients with memory issues, also gets the Standard Platform User profile. (Leif’s role is sometimes called case manager or care manager. At Bloomington Caregivers, he’s a patient manager.)
Raul Nieto is the son of a new Bloomington Caregivers client, Elena Nieto. Raul is his mom’s main caregiver. He visits her a few times a week to make dinner, pack tomorrow’s lunch, and drive her to doctor and therapist appointments.
Raul is only concerned with one Bloomington Caregivers patient—his mom. He doesn’t need to see information about anyone else. So he gets the Customer Community User profile. Now he can log into Health Cloud as member of Elena’s care team to share information and stay up-to-date on her progress.
Next, Harryette makes the Health Cloud page layouts available to the profiles she’s assigned.
- Account (Individual record type): Patient layout
- Case (Care Plan record type): Care Plan layout
- Contact (Individual record type): Patient layout
- Lead (Patient record type): Patient layout
- Task (Care Plan Task record type): Health Task layout
And she gives people with those profiles access to the record types they’ll need.
- Account: Business, Household, Individual (Default)
- Cases: CarePlan
- Contacts: Business, Individual (Default)
- Lead: Patient
- Tasks: Care Plan Task
Regardless of the profiles they have, Harryette’s users are going to need a special set of permissions to do the work they need to do in Health Cloud. She’s going to assign them a permission set with the permissions backed by the Health Cloud permission set license, which became available when she first installed the Health Cloud managed package.
Heads up: Things can get a little complicated right around this point. If any of this permission set information is confusing, go ahead and consult the Salesforce Help on Permission Set Licenses, then come back! See the Resources section for a link.
For now, Harryette just goes to Setup and finds the Permission Set License Assignments related list under Users. For each of her Health Cloud users, she clicks Edit Assignments and selects Health Cloud Permission Set License.
Field permissions specify the access level for each field in an object. Users have to be able to edit certain essential fields in order to use Health Cloud, whether you’re using profiles or permission sets to control access.
Harryette goes to Setup and finds the Field Accessibility page. There, she makes sure her users have access to the standard fields listed in the Health Cloud Implementation Guide.
Harryette is concerned that anyone with access to the Health Cloud console can see any patient list someone creates in Health Cloud. That can be sensitive information, so she uses field-level and object-level security to make sure only people who need to see a patient list can see it.
One thing she can do is restrict access to an object. If a user’s profile doesn’t give them access to an object, then records from that object don’t appear in the patient list that user sees. For example, Leif Hansen needs to know the doctors and therapists available to the patients he manages. So he needs a profile that gives him access to the Provider object. He isn’t creating care plans, so his profile doesn’t need access to the Care Plan Template object.