Blood Bank Management User Roles & Permissions

This document defines role-based and context-based access control for the Blood Bank Management (blood-bank) module, aligned with UAE regulatory requirements (MOH blood safety regulations, DOH/DHA standards, UAE PDPL, Federal Law No. 2/2019, ADHICS/NESA).

Role Definitions

Shared entities (patients, providers, encounters, facilities, users) are owned by other modules and referenced here via foreign keys. Access scopes below apply to blood bank–specific data plus referenced patient/encounter context.

Blood Bank Technologist

Typical UAE titles
Medical Laboratory Technologist – Blood Bank
Senior Laboratory Technician – Transfusion Services (non-supervisory)
Description
Front-line technical staff performing donor processing, component preparation, type & screen, crossmatch, issue/return processing, and routine QC under supervision.
Scope of access
Patients: All patients of the facility for whom blood bank tests/orders exist; read-only to basic demographics and transfusion history.
Data:
- Full create/update access to: blood_donations, blood_components, blood_component_inventory, blood_type_screen, crossmatch_records, blood_quarantine_log, blood_discard_log (except discard approval), transfusion_reactions (technical investigation fields).
- Read-only to transfusion_orders and transfusion_administration.
Facilities: Primarily own facility; read-only view of inter-facility transfer records where configured.
Reporting hierarchy
Reports to Senior Blood Bank Technologist or Blood Bank Supervisor.

Senior Blood Bank Technologist

Typical UAE titles
Senior Medical Laboratory Technologist – Blood Bank
Charge Technologist – Transfusion Services
Description
Experienced technologist providing technical oversight, resolving complex serology, managing special antigen requirements, and training staff.
Scope of access
Inherits all Blood Bank Technologist permissions (all_technologist).
Can override electronic crossmatch rules within policy, manage special antigen profiles, and finalize complex antibody workups.
Can correct/validate junior staff results and unlock records for amendment.
Reporting hierarchy
Reports to Blood Bank Supervisor; provides day-to-day direction to Blood Bank Technologists.

Blood Bank Supervisor

Typical UAE titles
Blood Bank Supervisor
Transfusion Services Manager
Description
Operational manager responsible for staffing, inventory levels, QC, compliance, and reporting.
Scope of access
Inherits all Senior Blood Bank Technologist permissions (all_senior_tech).
Full access to inventory management, donor deferral management, discard approvals, and operational reporting.
Can adjust par levels, configure alerts, and manage donor deferral lists per MOH guidance.
Reporting hierarchy
Reports to Blood Bank Medical Director (Pathologist) or Laboratory Director; supervises technologists and senior technologists.

Blood Bank Medical Director (Pathologist)

Typical UAE titles
Consultant Pathologist – Transfusion Medicine
Blood Bank Medical Director
Description
Clinically accountable physician overseeing transfusion policies, complex case management, hemovigilance, and regulatory compliance.
Scope of access
Inherits all Blood Bank Supervisor permissions (all_supervisor).
Can approve reaction investigations, authorize emergency/un-crossmatched release, manage policies and crossmatch rules, and submit MOH hemovigilance reports.
Read/write access to all transfusion reaction classification and regulatory reporting fields.
Reporting hierarchy
Reports to Laboratory Director / Chief Medical Officer; clinical authority over Blood Bank Supervisor, Donor Physician, and interacts with Ordering Physicians.

Donor Physician

Typical UAE titles
Specialist / Consultant Physician – Donor Clinic
Family Medicine / Internal Medicine Physician assigned to Blood Bank
Description
Physician responsible for donor medical assessment, approval/deferral decisions, and donor health follow-up.
Scope of access
Full access to blood_donors (demographics, screening, vitals, deferral history).
Can create/update donor screening outcomes, deferral reasons, and donor health notes.
Read-only to blood_donations, infectious disease results, and donor-related hemovigilance data.
No access to unrelated patient transfusion records unless donor is also a patient and they are involved in care.
Reporting hierarchy
Reports clinically to Blood Bank Medical Director; administratively may report to Blood Bank Supervisor or Clinical Director.

Nurse (Transfusion)

Typical UAE titles
Registered Nurse – Inpatient Ward / ICU / OR
Transfusion Nurse / Clinical Resource Nurse
Description
Nursing staff administering blood products at bedside, monitoring patients, documenting vitals, and reporting reactions.
Scope of access
Patients: Patients within their assigned ward/clinic/OR encounters.
Data:
- Read-only to blood_type_screen, crossmatch_records, blood_component_inventory (availability view), transfusion_orders for their patients.
- Create/update transfusion_administration for assigned patients (vitals, start/stop times, volume infused, bedside checks).
- Create initial transfusion_reactions record (symptoms, onset, nursing assessment).
- Record return of unused units (status, reason, condition).
Cannot modify lab/technical results or inventory attributes.
Reporting hierarchy
Reports to Nurse Manager / Charge Nurse; functionally collaborates with Ordering Physician and Blood Bank Technologist.

Ordering Physician

Typical UAE titles
Consultant / Specialist Physician (Internal Medicine, Surgery, ICU, etc.)
Resident / Registrar with transfusion ordering privileges
Description
Clinician responsible for ordering blood components, documenting indications, and managing clinical aspects of transfusion and reactions.
Scope of access
Patients: Patients under their care (attending/covering or per encounter assignment).
Data:
- Create/update transfusion_orders (component type, units, priority, indication, special requirements, emergency release flags).
- Read-only to donor data (no access) and inventory details beyond availability/compatibility.
- Read/write to clinical fields in transfusion_reactions (diagnosis, classification, management plan) for their patients.
- Read-only to transfusion_administration records and lab results.
Can authorize massive transfusion protocol and emergency release (subject to Medical Director override rules).
Reporting hierarchy
Reports to Department Chair / Service Head; clinically accountable to Blood Bank Medical Director for transfusion appropriateness.

Permission Matrix

Legend:

✅ = Allowed
❌ = Not allowed
🔒 = Conditional (context-based, co-sign, or configuration-based)

Roles:

BB Tech = Blood Bank Technologist
Sr BB Tech = Senior Blood Bank Technologist
BB Supervisor = Blood Bank Supervisor
BB Med Dir = Blood Bank Medical Director (Pathologist)
Donor MD = Donor Physician
Tx Nurse = Nurse (Transfusion)
Ord MD = Ordering Physician

Permission / Function	BB Tech	Sr BB Tech	BB Supervisor	BB Med Dir	Donor MD	Tx Nurse	Ord MD
Donor Management
View donor demographics & history	✅	✅	✅	✅	✅	❌	❌
Create new donor record	✅	✅	✅	✅	🔒¹	❌	❌
Edit donor demographics (non-medical)	✅	✅	✅	✅	🔒¹	❌	❌
Record donor screening questionnaire	✅	✅	✅	✅	✅	❌	❌
Record donor vitals and pre-donation assessment	✅	✅	✅	✅	✅	❌	❌
Approve donor for donation	❌	❌	🔒²	🔒²	✅	❌	❌
Temporarily defer donor (with reason and until date)	❌	❌	✅	✅	✅	❌	❌
Permanently defer donor	❌	❌	✅	✅	🔒³	❌	❌
View donor infectious disease results	✅	✅	✅	✅	✅	❌	❌
Notify donor of positive infectious disease result (record counselling)	❌	❌	🔒⁴	🔒⁴	✅	❌	❌
Donation & Component Processing
Register new donation event	✅	✅	✅	✅	❌	❌	❌
Record collection details (start/end, volume, complications)	✅	✅	✅	✅	❌	❌	❌
Create component records from donation	✅	✅	✅	✅	❌	❌	❌
Edit component attributes (type, modifiers, expiry)	✅	✅	✅	✅	❌	❌	❌
Print ISBT-compliant labels	✅	✅	✅	✅	❌	❌	❌
Place component in quarantine (pending tests / investigation)	✅	✅	✅	✅	❌	❌	❌
Release component from quarantine to inventory	✅	✅	✅	✅	❌	❌	❌
Type & Screen / Crossmatch
View patient transfusion history	✅	✅	✅	✅	❌	✅	✅
Perform and record ABO/Rh typing	✅	✅	✅	✅	❌	❌	❌
Perform and record antibody screen	✅	✅	✅	✅	❌	❌	❌
Perform antibody identification (panel)	🔒⁵	✅	✅	✅	❌	❌	❌
Validate and finalize type & screen result	🔒⁵	✅	✅	✅	❌	❌	❌
Create crossmatch record (electronic or serological)	✅	✅	✅	✅	❌	❌	❌
Override electronic crossmatch eligibility rules	❌	🔒⁶	✅	✅	❌	❌	❌
Transfusion Orders & Issue
Create transfusion order	❌	❌	❌	❌	❌	❌	✅
Modify/cancel own transfusion order	❌	❌	❌	❌	❌	❌	✅
Request massive transfusion protocol	❌	❌	❌	❌	❌	🔒⁷	✅
Flag order as emergency release (uncrossmatched)	❌	❌	❌	🔒⁸	❌	❌	✅
Select compatible units for an order	✅	✅	✅	✅	❌	❌	❌
Issue unit to clinical area (record pickup, destination, time)	✅	✅	✅	✅	❌	❌	❌
Process return of unused unit (re-inventory / discard decision)	✅	✅	✅	✅	❌	✅	❌
Transfusion Administration (Bedside)
View issued units for assigned patients	✅	✅	✅	✅	❌	✅	✅
Perform bedside barcode verification (patient + product)	❌	❌	❌	❌	❌	✅	🔒⁹
Record pre-transfusion vitals	❌	❌	❌	❌	❌	✅	🔒⁹
Record intra- and post-transfusion vitals	❌	❌	❌	❌	❌	✅	🔒⁹
Record transfusion start/stop times and volume infused	❌	❌	❌	❌	❌	✅	🔒⁹
Mark transfusion as completed / stopped early	❌	❌	❌	❌	❌	✅	🔒⁹
Transfusion Reactions & Hemovigilance
Create initial reaction report (symptoms, onset, nursing notes)	❌	❌	❌	❌	❌	✅	✅
Record technical investigation steps (clerical check, DAT, hemolysis check)	✅	✅	✅	✅	❌	❌	❌
Classify reaction type and severity	🔒¹⁰	🔒¹⁰	✅	✅	🔒¹⁰	🔒¹⁰	✅
Approve final reaction classification	❌	❌	🔒¹¹	✅	❌	❌	❌
Mark reaction as reportable to MOH hemovigilance	❌	❌	🔒¹¹	✅	❌	❌	❌
Submit electronic hemovigilance report to MOH	❌	❌	❌	✅	❌	❌	❌
Inventory & Discards
View inventory levels and expiry alerts	✅	✅	✅	✅	❌	✅	✅
Adjust par levels and reorder thresholds	❌	❌	✅	✅	❌	❌	❌
Record discard of unit (expired, damaged, positive tests)	✅	✅	✅	✅	❌	❌	❌
Approve discard (dual sign-off)	❌	❌	✅	✅	❌	❌	❌
Record inter-facility transfer (ship/receive)	✅	✅	✅	✅	❌	❌	❌
Configuration & Reporting
Maintain master data (reaction types, deferral reasons, indication codes)	❌	❌	✅	✅	🔒¹²	❌	❌
Manage crossmatch eligibility rules (electronic vs serologic)	❌	❌	🔒¹³	✅	❌	❌	❌
Generate operational reports (inventory, wastage, TAT, C:T ratio)	🔒¹⁴	🔒¹⁴	✅	✅	❌	❌	🔒¹⁴
View hemovigilance KPI dashboards	✅	✅	✅	✅	🔒¹⁵	🔒¹⁵	✅
Security & Oversight
View audit log for blood bank actions	🔒¹⁶	🔒¹⁶	✅	✅	🔒¹⁶	🔒¹⁶	🔒¹⁶
Initiate break-the-glass access to restricted patient transfusion data	🔒¹⁷	🔒¹⁷	🔒¹⁷	🔒¹⁷	🔒¹⁷	🔒¹⁷	🔒¹⁷


¹ Donor MD may create/edit donor records only within donor clinic context; demographic changes may also be allowed for BB Tech per facility policy.  
² In some facilities, Supervisor/Medical Director may approve donors in absence of Donor Physician (configurable).  
³ Permanent deferral typically requires Donor Physician or Medical Director decision; Supervisor executes in system.  
⁴ Counselling may be documented by Donor MD; Supervisor/Med Dir may record administrative follow-up.  
⁵ Complex antibody workups may be restricted to Sr BB Tech and above.  
⁶ Electronic crossmatch overrides require Sr BB Tech or higher, with justification.  
⁷ Massive transfusion may be triggered by Tx Nurse per protocol but must be authorized by Ord MD.  
⁸ Emergency release flagging by Ord MD; final authorization by BB Med Dir (or on-call pathologist) where available.  
⁹ Some facilities allow Ord MD to document vitals when no nurse is present (e.g., small clinics).  
¹⁰ Initial classification may be proposed by Tech/Nurse/Ord MD; final approval by Supervisor/Med Dir.  
¹¹ Serious reactions require Supervisor review and Medical Director approval before MOH submission.  
¹² Donor MD may propose new deferral reasons; final configuration by Supervisor/Med Dir.  
¹³ Policy-level crossmatch rules should be owned by Med Dir; Supervisor may manage operational parameters.  
¹⁴ Access to detailed reports may be limited to supervisory/medical leadership; some summary views for others.  
¹⁵ Donor MD and Tx Nurse may see de-identified or aggregate hemovigilance KPIs only.  
¹⁶ Audit log viewing is restricted; line managers and compliance roles only.  
¹⁷ Break-the-glass is governed by enterprise-wide policy; see BTG section.

---

## Role Hierarchy

```mermaid
graph TD
    LABDIR[Laboratory Director / CMO] --> BBMD[Blood Bank Medical Director (Pathologist)]
    BBMD --> BBSUP[Blood Bank Supervisor]
    BBSUP --> SBBT[Senior Blood Bank Technologist]
    SBBT --> BBT[Blood Bank Technologist]

    BBMD --> DONMD[Donor Physician]

    CNO[Chief Nursing Officer] --> NM[Nurse Manager / Charge Nurse]
    NM --> TXN[Nurse (Transfusion)]

    DEPTHEAD[Clinical Dept Chair / Service Head] --> ORDMD[Ordering Physician]

    %% Inheritance notes
    classDef clinical fill:#e3f2fd,stroke:#1e88e5,stroke-width:1px;
    classDef lab fill:#f3e5f5,stroke:#8e24aa,stroke-width:1px;
    classDef nursing fill:#e8f5e9,stroke:#43a047,stroke-width:1px;

    class BBMD,BBSUP,SBBT,BBT,LABDIR lab;
    class DONMD,ORDMD,DEPTHEAD clinical;
    class TXN,NM,CNO nursing;

Permissions inherit downwards within each branch (e.g., BB Supervisor has all Senior BB Technologist permissions plus supervisory functions).
Cross-branch roles (Ordering Physician, Transfusion Nurse, Donor Physician) do not inherit lab permissions; they only receive the subset defined in the matrix.

Context-Based Access Rules

Context-based controls must be enforced in addition to RBAC, in line with UAE PDPL, Federal Law No. 2/2019, DOH ADHICS, and DHA/NABIDH requirements.

1. Facility-Based Restrictions (Multi-Facility)

Users are associated with one or more facilities.facility_id.
Default rule:
Blood bank staff (BB Tech, Sr BB Tech, BB Supervisor) can access blood bank data only for their assigned facility/facilities.
Inter-facility transfers: staff at both sending and receiving facilities can view transfer records for the units involved, but not broader inventory of the other facility.
Medical Director / Laboratory Director may be configured with multi-facility oversight, allowing read access to all facilities and write access to policy-level configuration only.
Donor data is facility-scoped; cross-facility donor lookup may be restricted or pseudonymised depending on corporate policy.

2. Department-Based Restrictions

Transfusion Nurses:
Can access transfusion administration records only for patients admitted to their assigned wards/departments (e.g., ICU, OR, Medical Ward).
Cross-department access requires either temporary assignment (e.g., float nurse) or BTG.
Ordering Physicians:
Can access transfusion orders and related blood bank data only for patients where they are attending/consulting or on-call for that department.
ED physicians may have broader access to ED-registered patients.
Donor Physicians:
Access restricted to donor clinic context; no access to general patient transfusion records unless also the treating physician for that patient.

3. Patient Relationship Requirements

For clinical patient data (type & screen, crossmatch, transfusion history):
Access is allowed only if there is an active or recent encounter linking the patient to the user’s service/ward (treating relationship).
Blood bank staff are considered part of the “care team” for all patients with active blood bank orders; they may access necessary clinical data (ABO/Rh, antibodies, transfusion history) but not full EHR notes.
For donor data:
Only donor clinic staff (Donor Physician, Blood Bank staff) may access donor records.
If a donor is also a patient, donor records and patient records are logically separated; cross-linking is visible only to authorized roles (Supervisor, Medical Director) and only when clinically necessary.

4. Time-Based Access (Shift-Based)

User accounts have configured working hours/shift patterns.
Optional policy:
Non-emergency access to blood bank functions outside assigned shifts is blocked or requires BTG justification.
Night-shift technologists may have extended privileges (e.g., emergency release) when Medical Director is off-site, with mandatory next-day review.
Access to configuration and reporting functions (par levels, master data changes) may be limited to business hours unless explicitly overridden.

5. Emergency / On-Call Overrides

On-call Blood Bank Technologist / Medical Director:
May be granted temporary extended access (e.g., multi-facility view, emergency release authorization) during on-call periods.
System should support time-bound elevation with automatic rollback at end of on-call window.
Emergency Department / Code Blue:
For patients registered in ED or under massive transfusion protocol, treating physicians and nurses may access transfusion history and active orders even if not formally assigned as primary provider, subject to BTG logging (see below).

Break-the-Glass (BTG) Procedures

BTG is required to access blood bank data beyond normal context-based restrictions, especially for sensitive transfusion history and cross-facility records.

1. When BTG is Required

Accessing a patient’s transfusion history or blood bank results when:
The user is not part of the documented care team for that encounter, and
No active order or consult links the user to the patient.
Accessing restricted transfusion data (e.g., reactions classified as severe, or data flagged as “sealed” due to legal proceedings).
Cross-facility access to blood bank data (e.g., viewing transfusion history from another emirate) when not part of a configured multi-facility role.
Accessing donor records for a donor not currently being seen in the donor clinic (e.g., for research or tracing) without explicit consent or legal mandate.

2. BTG Workflow

Trigger
- User attempts to open a restricted blood bank record (e.g., transfusion history for a non-assigned patient).
Warning Dialog
- System displays:
- “You are attempting emergency access (Break-the-Glass) to restricted blood bank data. This access is fully audited and subject to review under UAE PDPL and Federal Law No. 2/2019. Proceed only if necessary to prevent serious harm to the patient.”
Justification Entry
- User must select a reason from a controlled list (e.g., “Emergency care – unassigned patient”, “Massive transfusion protocol”, “Inter-facility emergency transfer”) and enter free-text justification.
Optional Approval Step (configurable)
- For non-immediate emergencies, system may require approval from on-call Blood Bank Supervisor or Medical Director before granting access (e.g., via in-app notification).
- For life-threatening emergencies, access is granted immediately; approval is retrospective.
Access Grant
- System grants time-limited access (e.g., 30–60 minutes) to the specific patient’s blood bank data; scope is limited to necessary data (type & screen, crossmatch, transfusion history, reactions).
Audit Logging
- Each BTG event logs:
- user_id, role, department
- patient_id (and donor_id if applicable)
- timestamp (start/end)
- justification code and free-text reason
- accessed resources (tables/records)
- workstation/IP and facility
Notification
- Automated alert to Blood Bank Supervisor and Data Protection / Compliance Officer for review.

3. Post-Access Review

Daily or weekly review of BTG events by Blood Bank Supervisor and Compliance:
Validate clinical necessity and proportionality.
Flag suspicious or unjustified access for investigation.
Corrective actions may include:
User counselling or re-training.
Role adjustment (tightening access).
Disciplinary measures per facility policy.
Documentation:
Review outcomes recorded and retained per PDPL and ADHICS requirements (minimum retention aligned with clinical audit logs).

4. UAE PDPL and Federal Law No. 2/2019 Implications

Health data is sensitive personal data; BTG is justified only under lawful bases such as vital interests, treatment, or public health.
BTG logs support accountability and are required to demonstrate compliance with PDPL principles (data minimisation, purpose limitation, integrity and confidentiality).
BTG access must not be used for non-clinical purposes (e.g., curiosity, viewing records of colleagues or public figures); such use constitutes a potential data breach requiring investigation and, if material, notification to the UAE Data Office.

Segregation of Duties

To reduce risk of fraud, data manipulation, and regulatory non-compliance, certain role combinations and actions must be segregated.

1. Conflicting Role Combinations

The following combinations must not be assigned to the same user account:

Blood Bank Supervisor + Transfusion Nurse
Would allow a single user to both manage inventory/discards and administer transfusions, weakening independent checks.
Blood Bank Technologist + Ordering Physician
Could enable self-ordering and self-fulfilment of transfusions without independent clinical oversight.
Donor Physician + Blood Bank Supervisor (in small facilities, this may be unavoidable but should be discouraged)
Concentrates donor approval, deferral, and operational control in one person; if combined, additional dual sign-off rules must be enforced.
Blood Bank Medical Director + System Administrator (IT)
Clinical authority should not be combined with unrestricted technical access; system admin must not have clinical data modification rights.
Donor Physician + Transfusion Nurse
Blurs donor vs patient care roles; donor confidentiality could be compromised.

The HIS must support role conflict checks at assignment time and block or require explicit exception approval (with documented justification) for conflicting combinations.

2. Dual Sign-Off Requirements

Certain high-risk operations require dual sign-off (two distinct users with appropriate roles):

Emergency Release of Uncrossmatched Blood
- Initiator: Ordering Physician (flags emergency release).
- Approver: Blood Bank Medical Director or on-call pathologist (or Blood Bank Supervisor if delegated by policy).
- System enforcement:
- Record must contain initiated_by_user_id and approved_by_user_id with initiated_by ≠ approved_by.
- Emergency release tag printed only after approval.
Discard of Usable Blood Components (non-expiry)
- Initiator: Blood Bank Technologist records reason (e.g., breakage, temperature excursion).
- Approver: Blood Bank Supervisor or Medical Director.
- System enforcement:
- Discard action remains in “pending approval” state until second user approves.
- For routine expiry discards, Supervisor approval may be batched but still requires dual sign-off (Tech + Supervisor).
Change to Crossmatch Eligibility Rules
- Initiator: Blood Bank Supervisor proposes rule change (e.g., criteria for electronic crossmatch).
- Approver: Blood Bank Medical Director.
- System enforcement:
- Configuration changes logged with proposer and approver; changes not active until approved.
Permanent Donor Deferral for Serious Medical Reasons
- Initiator: Donor Physician records clinical justification.
- Approver: Blood Bank Medical Director or Supervisor (per policy).
- System enforcement:
- Permanent deferral status requires two distinct users to confirm.
Submission of Serious Transfusion Reaction to MOH Hemovigilance
- Draft: Blood Bank Technologist / Supervisor completes technical investigation.
- Clinical approval: Blood Bank Medical Director validates classification and severity.
- System enforcement:
- Electronic submission to MOH portal or export file generation only after Medical Director approval.

UAE Regulatory Compliance

This RBAC and context-based access model supports compliance with UAE healthcare regulations as follows:

Federal Law No. 2 of 2019 (Use of ICT in Health Fields)
Ensures confidentiality of health data via strict role-based and context-based access.
Supports traceability of blood products from donor to recipient with controlled access and full audit trails.
Facilitates mandatory reporting (e.g., hemovigilance) through dedicated Medical Director permissions and dual sign-off.
UAE PDPL (Federal Decree-Law No. 45/2021)
Implements data minimisation and purpose limitation by restricting donor and patient data to relevant roles and contexts.
Provides robust audit logging and BTG controls to demonstrate lawful emergency access.
Segregation of duties and dual sign-off reduce risk of unauthorized processing and support accountability.
DOH (Abu Dhabi) / DHA (Dubai) Requirements
ADHICS-aligned access control: least privilege, role-based, and context-aware.
Supports integration with Malaffi/NABIDH while ensuring that only appropriate roles can view transfusion-related data shared via HIE.
Hemovigilance reporting permissions align with MOH and emirate-level patient safety requirements.
MOH Blood Safety Regulations & Hemovigilance
Clear separation of duties between donor assessment, component processing, transfusion ordering, administration, and reaction investigation.
Dual sign-off for emergency release and discards aligns with good transfusion practice and MOH expectations.
Dedicated Medical Director role for policy management and regulatory reporting.

This document should be used by the HIS development team to implement fine-grained RBAC, context-aware access filters, BTG workflows, and audit logging within the Blood Bank Management module, ensuring that all access to sensitive transfusion data is justified, limited, and traceable.