RBAC, or role-based access control, assigns permissions to roles — clinician, nurse, scheduler, billing clerk, administrator — rather than to individuals, and people then inherit their access by being members of a role. The value is operational tractability: instead of managing thousands of individual permission grants, you manage a handful of roles, and onboarding, access reviews, and offboarding become a matter of changing role membership. When a nurse leaves, you remove them from the nurse role and their access evaporates cleanly, which is exactly the kind of clean revocation auditors and the HIPAA access-management requirements expect.
Healthcare, however, strains pure RBAC quickly. The core problem is that clinical access is relational, not categorical: a clinician should reach their patients, not all patients. A role of "clinician" that grants access to every chart is too coarse and recreates the over-access problem RBAC was supposed to solve. This is why real clinical systems layer relationship-based and attribute-based checks on top of roles — the role says what kind of thing you may do, and the relationship says to which patient.
The practical pitfall is role explosion. Teams respond to every edge case by minting a new narrow role, and within a year there are hundreds of overlapping roles nobody can reason about — at which point RBAC quietly stops providing the auditability that justified it. Keep the role catalog small, named in business terms, and regularly reviewed, and push fine-grained distinctions into attributes and relationships rather than into ever more roles.
