Pharmacy Information System User Roles & Permissions
Home / Clinical Modules / Pharmacy Information System / Roles & Permissions

Pharmacy Information System User Roles & Permissions

This document defines role-based and context-based access control for the Pharmacy Information System (PIS) in UAE hospitals. It aligns with UAE PDPL, Federal Law No. 2 of 2019 (ICT in health fields), MOH/EDE controlled substance rules, DOH ADHICS, and DHA/NABIDH requirements. It is intended to be directly implementable by the development team.

Role Definitions

For all roles below, user identity, employment status, and professional licence (where applicable) are mastered in ehr-patient-mgmt (users, providers, roles, permissions) and referenced by PIS.

Clinical Pharmacist

  • Description: Licensed pharmacist responsible for clinical verification of medication orders, interventions, medication reconciliation, and stewardship participation.
  • Typical UAE titles: Clinical Pharmacist, Inpatient Pharmacist, Ward Pharmacist.
  • Scope of access:
  • Clinical data: Full medication-related data (orders, dispensing, eMAR, allergies, labs relevant to dosing such as renal/hepatic function) for patients in assigned facilities/departments.
  • Can view but not edit core demographics (read-only from ehr-patient-mgmt).
  • Access limited to encounters where pharmacy services are involved (inpatient, ED, ambulatory prescriptions).
  • Reporting hierarchy:
  • Reports to: Pharmacy Supervisor or Pharmacy Manager.
  • Overseen by: Chief Pharmacist / Pharmacy Director.
  • Collaborates with: Attending physicians, residents, nurses.

Pharmacy Technician

  • Description: Technical staff performing medication picking, filling, packaging, and basic inventory tasks under pharmacist supervision.
  • Typical UAE titles: Pharmacy Technician, Assistant Pharmacist (where permitted), Pharmacy Assistant.
  • Scope of access:
  • Operational data: Dispensing worklists, inventory levels, lot/expiry, label printing.
  • Clinical data: Limited to medication order details required to dispense (drug, dose, route, frequency, indications) for patients whose orders are in their work queue.
  • No access to diagnoses, detailed clinical notes, or sensitive mental health data.
  • Reporting hierarchy:
  • Reports to: Pharmacy Supervisor / Clinical Pharmacist (shift lead).
  • Ultimately accountable to: Chief Pharmacist / Pharmacy Director.

Pharmacy Supervisor

  • Description: Senior pharmacist responsible for daily operations, staff supervision, and controlled substance oversight at the facility or department level.
  • Typical UAE titles: Senior Pharmacist, Pharmacy Supervisor, Pharmacy Manager.
  • Scope of access:
  • All Clinical Pharmacist permissions plus:
    • Staff worklists and productivity metrics.
    • Controlled substance vault configuration and reconciliation.
    • Local formulary overrides within P&T-approved rules.
    • Operational reports (dispensing volumes, error trends).
  • Access limited to assigned facility(ies); cross-facility access only if explicitly configured.
  • Reporting hierarchy:
  • Reports to: Chief Pharmacist / Pharmacy Director.
  • Supervises: Clinical Pharmacists, Pharmacy Technicians, Inventory staff.

Chief Pharmacist / Director

  • Description: Overall leader of pharmacy services, responsible for policy, formulary governance, regulatory compliance, and strategic planning.
  • Typical UAE titles: Chief Pharmacist, Director of Pharmacy, Head of Pharmacy Department.
  • Scope of access:
  • All Pharmacy Supervisor permissions plus:
    • Enterprise-wide formulary management and P&T committee workflows.
    • Regulatory reporting (MOH/EDE controlled substances, DOH/DHA quality indicators).
    • Contract and vendor-related pharmacy data (via integration with policy/contract modules).
    • Cross-facility analytics dashboards.
  • May have read-only access to all facilities’ pharmacy data; write access limited to policy/configuration, not clinical documentation.
  • Reporting hierarchy:
  • Reports to: Medical Director / Chief Medical Officer / Hospital CEO (depending on facility).
  • Chairs or co-chairs: Pharmacy & Therapeutics (P&T) Committee.
  • Oversees: Pharmacy Supervisors, Antimicrobial Stewardship Pharmacist, Inventory Manager, IV Pharmacy.

IV Pharmacist

  • Description: Pharmacist specialized in sterile compounding and IV admixture preparation.
  • Typical UAE titles: IV Pharmacist, Sterile Compounding Pharmacist.
  • Scope of access:
  • All Clinical Pharmacist permissions for patients requiring IV therapy in assigned units.
  • Additional access to IV admixture orders, compounding worksheets, BUD calculations, and gravimetric verification data.
  • Limited inventory access for IV room stock and high-risk medications.
  • Reporting hierarchy:
  • Reports to: Pharmacy Supervisor (Inpatient/IV) or Chief Pharmacist.
  • Supervises: IV Pharmacy Technicians (where applicable).

Antimicrobial Stewardship Pharmacist

  • Description: Pharmacist focused on antimicrobial stewardship, reviewing antibiotic use, culture results, and generating antibiograms.
  • Typical UAE titles: Antimicrobial Stewardship Pharmacist, Infectious Diseases Pharmacist.
  • Scope of access:
  • All Clinical Pharmacist permissions for patients with antimicrobial orders across assigned facilities.
  • Access to LIS culture/sensitivity results (via LIS integration), antimicrobial stewardship review records, and antibiogram reports.
  • May access limited diagnosis data relevant to infection management (ICD-10-AM codes, problem list).
  • Reporting hierarchy:
  • Reports to: Chief Pharmacist / Director of Pharmacy.
  • Functional reporting to: Infectious Disease Consultant / Infection Control Committee.

Nurse (eMAR role)

  • Description: Nursing staff responsible for medication administration and documentation using eMAR.
  • Typical UAE titles: Registered Nurse, Staff Nurse, Charge Nurse.
  • Scope of access:
  • eMAR for patients assigned to their ward/department and shift.
  • View-only access to medication orders, allergies, basic labs relevant to administration (e.g., INR for anticoagulants).
  • Can record administration, holds, refusals, PRN responses, and witness controlled substance waste.
  • No access to pharmacy inventory configuration or formulary management.
  • Reporting hierarchy:
  • Reports to: Nurse Manager / Charge Nurse.
  • Collaborates with: Clinical Pharmacists, Physicians.

Pharmacy Inventory Manager

  • Description: Staff responsible for procurement, stock management, vendor coordination, and expiry tracking.
  • Typical UAE titles: Pharmacy Inventory Manager, Pharmacy Storekeeper, Procurement Pharmacist (if licensed).
  • Scope of access:
  • Inventory dashboards, purchase orders, vendor master (via integration), par levels, expiry alerts.
  • Limited clinical data: only aggregated consumption trends and item-level usage; no patient-identifiable data.
  • Cannot view patient charts or eMAR.
  • Reporting hierarchy:
  • Reports to: Pharmacy Supervisor or Chief Pharmacist.
  • Collaborates with: Procurement department, Finance, Warehouse.

Permission Matrix

Legend:

  • ✅ = Allowed by default for that role.
  • ❌ = Not allowed.
  • 🔒 = Conditional / restricted (e.g., requires configuration, dual sign-off, or specific licence).

Roles:

  • CP = Clinical Pharmacist
  • PT = Pharmacy Technician
  • PS = Pharmacy Supervisor
  • CD = Chief Pharmacist / Director
  • IVP = IV Pharmacist
  • ASP = Antimicrobial Stewardship Pharmacist
  • NUR = Nurse (eMAR)
  • PIM = Pharmacy Inventory Manager
Permission / Function CP PT PS CD IVP ASP NUR PIM
Patient & Order Access
View medication orders for assigned patients
View limited clinical context (allergies, weight, key labs) 🔒
View full clinical notes 🔒 🔒 🔒 🔒 🔒
Search patients outside assigned ward/facility 🔒 🔒 🔒 🔒 🔒
Break-the-glass access to restricted patient record 🔒 🔒 🔒 🔒 🔒 🔒
Order Verification & Clinical Decision Support
Access pharmacist order verification queue (SCR-PIS-001) 🔒
Perform clinical verification of medication orders 🔒
Approve/verify routine medication orders 🔒
Approve/verify high-risk medications (e.g., chemo, TPN) 🔒 🔒
Approve/verify controlled substance orders 🔒
Override soft CDS alerts (e.g., minor interactions)
Request override of hard CDS alerts (requires justification & supervisor approval)
View CDS alert history for an order 🔒
Pharmacist Interventions & Stewardship
Create pharmacist intervention record
Edit own intervention records
View all interventions for a patient 🔒 🔒
Perform antimicrobial stewardship review (WF-PIS-008) 🔒 🔒 🔒 🔒
Manage stewardship rules (restriction criteria, review triggers) 🔒
Generate stewardship reports & antibiograms 🔒 🔒
Dispensing & eMAR
Access dispensing worklist (SCR-PIS-002)
Pick and fill medications 🔒 🔒 🔒 🔒
Perform barcode verification during dispensing
Perform final pharmacist check before dispensing
Record dispensing event (pharmacy_dispensing)
Access eMAR (SCR-PIS-003) 🔒 🔒 🔒 🔒 🔒
Record medication administration
Record PRN indication and response
Hold/omit dose with reason
Witness controlled substance waste at administration 🔒 🔒 🔒 🔒
IV Admixture & Compounding
Access IV admixture preparation screen (SCR-PIS-005) 🔒 🔒 🔒 🔒
Generate compounding worksheet 🔒 🔒 🔒 🔒
Scan ingredients and record compounding steps 🔒 🔒 🔒
Manage compounding recipes and standard concentrations 🔒
Manage BUD (beyond-use date) calculation rules 🔒
Controlled Substances (WF-PIS-006)
Flag order as controlled and assign schedule 🔒
Dispense from controlled substance vault 🔒 🔒 🔒
Record controlled substance transaction in register (SCR-PIS-006)
Perform daily controlled substance reconciliation 🔒 🔒
Manage controlled substance vault configuration 🔒
Generate MOH controlled substance compliance reports 🔒
Initiate discrepancy investigation workflow 🔒 🔒
Formulary & Clinical Content
View formulary and formulary item details (SCR-PIS-007) 🔒 🔒 🔒
Propose formulary changes / therapeutic interchange
Approve non-formulary medication requests 🔒 🔒 🔒
Manage formulary master data (add/remove items, restrictions) 🔒 🔒
Manage drug interaction knowledge base (local overrides) 🔒 🔒 🔒 🔒
Medication Reconciliation (WF-PIS-007)
Access medication reconciliation screen (SCR-PIS-009) 🔒
Document home medications and sources 🔒
Flag reconciliation discrepancies 🔒
Complete and sign-off reconciliation (per role policy) 🔒 🔒
Inventory & Procurement (SCR-PIS-008)
View inventory levels and stock movements 🔒 🔒 🔒
Adjust inventory counts (cycle count, corrections) 🔒 🔒 🔒
Place purchase orders to vendors 🔒 🔒
Receive shipments and record lot/expiry 🔒 🔒
Manage vendors and contracts (within pharmacy scope) 🔒
Manage par levels and reorder points 🔒 🔒
Manage expiry tracking and quarantine expired stock 🔒 🔒
Analytics & Reporting (SCR-PIS-010)
View personal performance metrics (e.g., interventions, verification TAT)
View unit/department-level pharmacy KPIs 🔒 🔒 🔒 🔒
View enterprise-wide pharmacy analytics 🔒 🔒 🔒
Export de-identified analytics data 🔒 🔒 🔒 🔒 🔒
Administration & Configuration
Manage PIS user-role assignments (within pharmacy) 🔒 🔒
Configure PIS module settings (alerts thresholds, queues) 🔒 🔒
View detailed audit logs for pharmacy activities 🔒 🔒 🔒 🔒 🔒
Initiate data correction requests (demographics, identifiers) 🔒 🔒 🔒 🔒 🔒 🔒 🔒 

**Notes for implementation:**

- 🔒 permissions must be controlled by configuration flags and/or additional attributes (e.g., `is_supervisor`, `is_stewardship_pharmacist`, `has_moh_cs_authorization`).
- Access to full clinical notes should be rare and justified (e.g., stewardship review); default is restricted to medication-relevant data.

---

## Role Hierarchy

Role inheritance is logical (permission sets), not necessarily HR reporting lines. Higher roles inherit all permissions of lower roles in their branch, except where explicitly restricted by policy.

```mermaid
graph TD
    CD[Chief Pharmacist / Director] --> PS[Pharmacy Supervisor]
    PS --> CP[Clinical Pharmacist]
    PS --> IVP[IV Pharmacist]
    PS --> ASP[Antimicrobial Stewardship Pharmacist]
    PS --> PT[Pharmacy Technician]
    CD --> PIM[Pharmacy Inventory Manager]
    %% Nursing is separate hierarchy but interacts with PIS
    NDIR[Chief Nursing Officer / Nursing Director] --> NUR[Nurse (eMAR)]
  • Inheritance rules:
  • Pharmacy Supervisor inherits all Clinical Pharmacist permissions plus supervisory functions.
  • Chief Pharmacist / Director inherits all Pharmacy Supervisor permissions plus strategic and regulatory functions.
  • IV Pharmacist inherits Clinical Pharmacist permissions for IV-related workflows plus compounding-specific permissions.
  • Antimicrobial Stewardship Pharmacist inherits Clinical Pharmacist permissions plus stewardship-specific permissions.
  • Pharmacy Technician does not inherit pharmacist permissions; it is a separate branch with operational focus.
  • Pharmacy Inventory Manager is a separate branch focused on inventory and procurement; no clinical permissions.
  • Nurse (eMAR) is outside pharmacy hierarchy; permissions are limited to eMAR and administration.

Context-Based Access Rules

Context-based controls must be enforced in addition to RBAC, in line with Federal Law No. 2 of 2019, UAE PDPL, DOH ADHICS, and DHA/NABIDH requirements.

1. Facility-Based Restrictions (Multi-Facility)

  • Each user is assigned one or more home facilities (via facilities in ehr-patient-mgmt).
  • PIS must: 1. Restrict patient and inventory access to the user’s assigned facility(ies) by default. 2. Allow cross-facility access only when:
    • The user has explicit multi-facility privileges (e.g., enterprise Chief Pharmacist), or
    • The patient is physically present in the user’s facility (encounter location match). 3. Ensure that inventory transactions cannot be performed on locations outside the user’s facility unless the user has enterprise inventory rights (typically PIM or CD).

2. Department / Ward-Based Restrictions

  • Users are mapped to departments/wards (e.g., ICU, Oncology, ED).
  • PIS must:
  • Limit eMAR access for nurses to patients admitted to their ward(s) and shift.
  • Limit pharmacist worklists to orders originating from their assigned departments, except:
    • Central pharmacy roles (e.g., overnight pharmacist) with broader coverage.
    • Stewardship roles that may span multiple departments.
  • Restrict IV compounding access to the IV room/sterile compounding department.

3. Patient Relationship Requirements

  • Access to patient-level data must be based on a treating relationship:
  • Pharmacists: Orders in their verification queue or patients in wards they cover.
  • Nurses: Patients assigned to their nurse assignment list or ward.
  • Stewardship Pharmacists: Patients with active antimicrobial orders.
  • PIS must:
  • Validate that a user has a current relationship before granting access to detailed medication data.
  • Deny access (or show minimal demographic info only) if no relationship exists, unless break-the-glass is invoked.

4. Time-Based Access (Shift-Based)

  • User shifts (start/end times) are managed in HR/scheduling modules and referenced by PIS.
  • PIS must:
  • Restrict eMAR write access (administration recording) to nurses during their active shift.
  • Restrict dispensing actions to pharmacy staff on duty; off-shift users may have read-only access for review.
  • Flag controlled substance transactions performed outside normal pharmacy hours for next-day supervisory review.
  • Optionally restrict high-risk operations (e.g., formulary changes) to business hours.

5. Emergency / On-Call Overrides

  • On-call pharmacists and supervisors may require broader access during off-hours.
  • PIS must:
  • Support an on-call flag that temporarily extends facility/department scope for designated users.
  • Log all on-call extended access events with reason and time window.
  • Ensure that on-call overrides do not bypass controlled substance dual-signature requirements.

Break-the-Glass (BTG) Procedures

BTG is required to access patient medication data outside the normal treating relationship or to access specially protected records (e.g., mental health, VIP patients) in emergencies. BTG must comply with UAE PDPL (healthcare exemption) and Federal Law No. 2 of 2019 confidentiality provisions.

1. When BTG is Required

  • Pharmacist or nurse needs urgent access to a patient not in their assignment list (e.g., code blue in corridor, mass casualty).
  • Stewardship pharmacist needs to review restricted records for life-threatening infection.
  • Access to sealed or specially protected records (e.g., flagged as restricted classification) where the user is not on the authorized list.
  • Cross-facility access in emergencies (e.g., shared on-call pharmacist covering multiple hospitals).

2. BTG Workflow

  1. Trigger: - User attempts to open a patient record or eMAR and fails relationship/context checks. - System displays BTG prompt.

  2. User Confirmation: - System shows warning:

    • “Emergency access (Break-the-Glass) is for genuine clinical emergencies only. All actions will be fully audited and reviewed.”
    • User must:
    • Select a reason code (e.g., “Cardiac arrest”, “Anaphylaxis”, “Mass casualty”, “Other – specify”).
    • Enter free-text justification.

  3. Access Grant: - System grants time-limited access (e.g., 30–60 minutes) to:

    • The specific patient record, or
    • A defined group (e.g., all patients in ED during declared mass casualty).
    • Scope is minimal necessary (medication and essential clinical data only).

  4. Audit Trail Requirements: - For each BTG event, log:

    • User ID, role, facility, department.
    • Patient ID(s) accessed.
    • Timestamp (start/end of BTG session).
    • Reason code and free-text justification.
    • IP address / device ID.
    • Actions performed (view, modify, dispense, administer).
    • Store BTG logs in an immutable audit table with retention aligned to clinical record retention (minimum 15–25 years per UAE practice).

  5. Post-Access Review: - Automatic notification to:

    • Pharmacy Supervisor for pharmacist BTG events.
    • Nurse Manager for nursing BTG events.
    • Data Protection Officer / Compliance for high-risk or repeated BTG events.
    • Supervisor must review within a defined SLA (e.g., 72 hours):
    • Validate that BTG use was clinically justified.
    • Mark event as “Justified” or “Potential Misuse”.
    • Document any follow-up actions (education, disciplinary measures).
    • Repeated unjustified BTG use triggers escalation to HR and Data Protection Officer.

3. UAE PDPL Implications

  • PDPL allows processing of health data without consent for treatment and emergency care, but:
  • BTG events must still be minimised, justified, and audited.
  • Data subjects have the right to know that their data has been accessed; the facility’s privacy notice should describe BTG.
  • PIS must:
  • Support reporting of BTG events as part of records of processing.
  • Provide evidence for PDPL compliance audits (who accessed what, when, and why).
  • Integrate BTG logs into the broader security incident monitoring framework (NESA/ADHICS).

Segregation of Duties

To reduce fraud, diversion, and errors—especially for controlled substances and inventory—PIS must enforce segregation of duties and dual sign-off where required.

1. Conflicting Role Combinations

The following role combinations must not be assigned to the same user account:

  • Clinical Pharmacist + Pharmacy Inventory Manager:
  • Risk: Single user could both prescribe inventory movements and verify clinical orders, masking diversion.
  • Pharmacy Technician + Pharmacy Inventory Manager (full scope):
  • Risk: Single user could receive stock, adjust counts, and dispense without oversight.
  • Pharmacy Technician + Pharmacy Supervisor:
  • Risk: Self-approval of controlled substance transactions and overrides.
  • Nurse (eMAR) + Clinical Pharmacist:
  • Risk: Same user could verify orders and administer medications, bypassing independent checks.
  • Chief Pharmacist / Director + System Administrator (from core HIS):
  • Risk: Ability to alter audit logs or security settings; system admin must remain separate in ehr-patient-mgmt.

Implementation:

  • Role assignment service must validate new assignments against a conflict matrix and block conflicting combinations.
  • Where a user legitimately performs multiple functions (e.g., small clinic), system must:
  • Require explicit risk acceptance by management.
  • Enforce additional controls (e.g., mandatory dual-signature for controlled substances, enhanced audit review).

2. Dual Sign-Off Requirements

PIS must enforce dual sign-off in the following scenarios:

  1. Controlled Substance Dispensing from Vault/ADC: - Two distinct users:

    • Dispenser (Pharmacist or Technician with permission).
    • Witness (Pharmacist, Supervisor, or Nurse, depending on policy).
    • System validation:
    • dispenser_user_id != witness_user_id.
    • Both users must be on duty and have appropriate roles.
    • Logged in controlled_substance_log.

  2. Controlled Substance Waste at Administration: - Nurse administering and nurse/pharmacist witnessing. - System validation:

    • administered_by != waste_witnessed_by.

  3. High-Risk IV Compounding Release: - IV Pharmacist prepares and verifies; Pharmacy Supervisor or second pharmacist performs final release for certain high-risk preparations (e.g., chemotherapy). - System validation:

    • prepared_by != verified_by.

  4. Inventory Adjustments Above Threshold: - Large negative adjustments or write-offs (e.g., > X vials or > Y AED value) require:

    • Initiator (Inventory Manager or Supervisor).
    • Approver (Chief Pharmacist or Finance-authorized user via integration).
    • System must block posting until both approvals are recorded.

  5. Formulary Overrides for Restricted Medications: - Non-formulary or restricted antibiotic approval requires:

    • Requesting prescriber (via CPOE).
    • Approving pharmacist (Stewardship or Supervisor).
    • PIS must record the approval and link it to the order.

UAE Regulatory Compliance

This section summarises how PIS roles and permissions support compliance with UAE regulations. For detailed legal references, see ../uae/uae-regulations.md and ../uae/data-protection.md.

1. Federal Law No. 2 of 2019 (ICT in Health Fields)

  • Confidentiality & Access Control:
  • RBAC and context-based access ensure only authorised healthcare professionals access patient medication data.
  • BTG procedures provide controlled emergency access with full audit trails.
  • Data Residency & HIE:
  • PIS integrates with NABIDH (Dubai) and Malaffi (Abu Dhabi) using HL7 v2.5.1; access to HIE data is limited to treating roles (pharmacists, nurses) and logged.

2. UAE PDPL (Federal Decree-Law No. 45/2021)

  • Lawful Basis:
  • Most PIS processing falls under treatment and health system management exemptions; explicit consent is not required for direct care.
  • Analytics exports and research use require de-identification or explicit consent and ethics approval.
  • Data Minimisation & Purpose Limitation:
  • Inventory roles (PIM) cannot see patient-identifiable data.
  • Technicians see only data necessary to dispense; no diagnoses or full notes.
  • Data Subject Rights & Auditability:
  • Detailed audit logs (including BTG) support access review and incident investigations.
  • Role-based restrictions reduce risk of unauthorised access, supporting PDPL compliance.

3. MOH / EDE Controlled Substance Regulations

  • Chain-of-Custody:
  • Controlled substance log with dual sign-off, vault management, and daily reconciliation supports MOH compliance.
  • Prescriber & Dispenser Controls:
  • Only pharmacists with appropriate roles can verify and dispense controlled substances.
  • Nurses can administer and witness waste but cannot alter vault balances.

4. DOH ADHICS & DHA/NABIDH Security Requirements

  • Access Control:
  • RBAC plus context-based restrictions align with ADHICS and NABIDH security controls for least privilege.
  • Audit & Monitoring:
  • BTG logging, dual sign-off, and segregation of duties support detection of misuse and diversion.
  • Integration Security:
  • PIS interfaces (e.g., INT-PIS-005/006 to NABIDH/Malaffi) must ensure that only authorised roles can trigger external submissions, and that all submissions are logged.

This roles & permissions specification should be implemented in the central RBAC engine (ehr-patient-mgmt) with PIS-specific permission codes, enforced at both API and UI layers for all PIS screens and workflows.

← Previous Pharmacy Information System Workflows Next → Pharmacy Information System Data Specifications
content/clinical/pis/02-roles-permissions.md Generated 2026-02-20 22:54