You would think that if they have the ability to audit at that level and with such prompt responses they would have the resources to lock down the systems properly and to implement a consent policy that works. Allowing everybody access is a bit like binding the cat to the bacon and then getting upset because the cat can not be trusted with bacon.
Better to keep the cat and the bacon separate, the temptation to peek is large and if there is one thing I know about people then it is that curiosity is a pretty common affliction.
And that is assuming that those accesses are on purpose, people can make honest mistakes as well and they will also look like unauthorized access.
Except putting barriers can cause even worse problems. If I can’t look up someone’s allergies because the system doesn’t think I should, fuck them right?
Exactly, barriers to looking up a patient's information can be fatal. I need to give someone medication now to stabilize them. What medications are they on now? Can't look it up? Better give it to them and hope there's no adverse reaction.
Better to avoid that situation and implement auditing while making sure people know the rules are enforced.
"override authentication" -> You have chosen to override the authentication protocol, you are logged in as John Doe, all your actions will be subject to internal affairs review, continue yes / no?
That tends to happen when the user logs in, so they'll probably see it multiple times per day. I think that's pretty standard. The system doesn't have to be the wild west. But if someone can click through an authentication override then it's not really doing anything.
Better to keep the cat and the bacon separate, the temptation to peek is large and if there is one thing I know about people then it is that curiosity is a pretty common affliction.
And that is assuming that those accesses are on purpose, people can make honest mistakes as well and they will also look like unauthorized access.