Document Security

From Galen Healthcare Solutions - Allscripts TouchWorks EHR Wiki
Jump to navigation Jump to search


Document Security can be a little confusing in Enterprise, so the intent of this wiki is to make understanding document security as easy as (eating) pie.

There are two different types of document security: Change and Viewing. Both types of document security can be assigned across the board for a document type in the document type dictionary, or can be assigned ad hoc by a user on a per-document basis. Both types of security are further discussed below, beginning with Document Change Security.

Document Change Security

There are two types of document change security – doc change and doc change shared:

  • Doc Change security means that the document remains visible to any user, but changes to the document are restricted to the owner of the document only.
  • Doc Change Shared means that the document remains visible to any user, but changes are restricted to a group of users who have the Doc Change Shared security code in their security classification.

Both the Doc Change and the Doc Change Shared security codes come pre-delivered in the EEHR by Allscripts.


In order for a user to assign either of these types of security to a document (in the dictionary or ad hoc), they need to have these codes in their security classification. THIS IS IMPORTANT to remember, because twappadmin, being a user in the EEHR, is not exempt from this requirement! (so if, as a system admin, you are trying to assign document security in the dictionary, and you don't see the codes, then go back to the Security Admin workspace and check to make sure that the twappadmin or TWAdmin user has these codes in their security classification).

Assigning Doc Change or Doc Change Shared security on a document in the document type dictionary is as simple as:


1. Find the document you want to place change security on. 2. Click the security code button. 3. Move the security code from Available to Assigned.

Then remember that since change security was placed on the document in the document type dictionary, every single one of the documents of that type will behave the same way.

But what if the organization doesn’t necessarily want all of the documents of that type to have security restrictions? What if they only want the providers or clinical staff to assign security to a document here and there? This is where the ad hoc feature comes into play.

If you assign the security codes - Doc Change and/or Doc Change Shared to a user, then they will see that they can assign security to a particular document on the fly. On the bottom of the note, for example, you can see the security button - NOTE: the user must FIRST SAVE the note before the security button is activated. Then the user can select the security button, and assign whichever document security they want to FOR THAT document only:


Document Viewing Security

Now let’s talk about Document Viewing security – this is completely separate from the change security and although it is similar to change security in that it can be assigned across the entire document at the dictionary level, or can be assigned ad hoc – it does have a few more complexities to it.

The first thing to take notice of is that, unlike the document change security, THERE ARE NOT PRE-DELIVERED DOCUMENT VIEWING SECURITY CODES in the EEHR. So, if your client wants to use document viewing security, the very first step will involve you or the system administrator creating the document viewing security code in the EHR - as shown below. This new code can then be added to an existing security classification for the appropriate user(s), or a new security classification may be created to accommodate the new code and allow for better ease of assigning document viewing security to individual users vs. groups of users.


How does it work? Applying Document Viewing security results in a document that is only visible to designated users who have the UDV Viewing Security Code as part of their Security Classification. And, in fact, users who have this code will not have any indication that the documents they see in the patient's chart have viewing-security applied.

Whereas, users who are NOT assigned this UDV security code will not even see viewing-secured documents in the patient's chart - therefore, they will not be able to attempt to open them - the documents are just not there.


Break Glass is a security privilege that is ONLY associated with Document Viewing Security. Users who are not given the specific UDV document viewing security code (discussed above) can be given the Break Glass security code. Then, when this user enters a chart that contains a viewing restricted document, they will see a little "Break Glass" button on the patient banner bar. The secure document itself, until the glass is broken, will not appear in the patient's chart.


NOTE: A user who breaks glass will then be presented with a security warning screen. In order to proceed, they must enter their password and reason for entry before they are permitted back into the chart with the viewing secured documents now visible to them. From that point forward, their actions in the chart are audited at the highest level - everything they view, edit, create, print or fax actions are audited regardless of what the system audit value is set at. Since violations could result in disciplinary action or even job termination, it is important to train end users on the importance of entering a specific reason for entry into the chart - and then to go into the chart for that specific reason only.



[R] – this is the code that appears on the left hand side of the patient banner if there is a secure document somewhere in the patient’s chart. It is possible to suppress this indicator through preferences: Display R in Patient Banner for Restricted Documents - set this preference to N to suppress the indicator.

IMPORTANT TO REMEMBER and reiterated because it is often hard to remember: Break Glass security is for document viewing security ONLY. It has nothing to do with patient access security or confidential patients!