One of the privacy issues in HIFIS 4 was reporting. You could set up your user rights templates to be as limited as you wanted, but when it came to reports, it was all or nothing.
If you gave a user permission to run reports, they could run all reports, and the reports could be designed to pull data from anywhere. So reports acted as a bit of a loophole. Maybe I want to share some case management information but not other information, so I’ll make a report, and now even users that don’t have access to the case management module can access case management data through the report.
Confused? You’re not alone.
It was exhausting for many communities to think about what reports they wanted. Maybe front line staff at shelters had the need for a report that gave them a list of wake-up times, or food allergies. And maybe housing-based case managers had the need for a report that gave an output of a single client’s full SPDAT assessment. But in order to give shelter staff access to the food allergies report, they’d also gain access to the SPDAT report. And the case managers didn’t need a list of wake-up times, so it was hard for them to find the few reports that were useful for them.
With HIFIS version 4.0.54, communities have a lot more control over who can access what reports.
The Add Report screen now includes two additional fields: Report Categories and Service Providers.
When you add a report, you can specify which Service Providers will be able to access and run this report.
This is a great starting point that already helps clarify things. You have some reports that are useful for shelters; other reports that are useful for case managers. Maybe some of your service providers are drop-in centres or eviction prevention service providers that have different needs yet again. And perhaps some of the reports only make sense at a system level.
The second level of customization you can build in is through the use of the Report Categories field. You can define your own categories through Look-Up Tables.
There are lots of different ways you might conceptualize your Report Categories. A good starting point might be deciding that some reports are Operational (used by front-line staff on a day-to-day basis, like a list of food allergies, a sign-in sheet, or a chores list). You might decide that some other reports are Dashboard reports (used by system administrators and program managers, to study things like your client inflow and outflow). You might define some reports to be a Single Client Output (maybe you could work on your name for this) that might include a client face sheet or a hard copy of a client’s SPDAT, VI-SPDAT, or VAT assessment. You could categorize some reports as Aggregated or Non-Aggregated, and define access to these differently – maybe Aggregated reports are available to be accessed by more people, because they don’t identify any clients.
You can define lots of different Report Categories, and each report can even have multiple categories associated with it.
Okay, so now you’ve defined your categories and you’ve put every report into at least one category. Now what? The second half of Report Categories is defining who can access that category. This is done through User Rights Templates.
Now, when you add a User Rights Template, you can specify which Report Categories users with this template will have access to. This helps you define access by saying things like front line staff only have access to the reports they need to do their jobs.
From the HIFIS Development Team:
If a User is using a Rights Template at the organization where they are logged in, when accessing the Reports module HIFIS looks a combination of the template’s Report Categories and the template’s Rights. If a User is not using a Rights Template, HIFIS looks at the Report Categories directly on the User’s profile and the Rights for the user where they are logged in. The combination of Rights, Report Categories, and the Service Provider, is compared against the Report Categories and Report Service Providers of each Report to determine if the User should be authorized for access. When a report has been selected and the User is prompted to select Service Providers to run the report on, the User’s Rights and Report Categories are evaluated for every organization.