Staff Roles & Access Control in Therapy Clinics

• Clinician / therapist — full chart for assigned caseload, notes, measures
• Supervisor — supervisee charts per active supervision assignment
• Front desk / scheduler — demographics, calendar, portal setup — not note bodies
• Biller — accounts, claims, statements — limited clinical detail
• Practice administrator — staff management, settings, imports — broad but audited

Staff should see the minimum PHI required for their job. A scheduler rarely needs progress note content; a biller needs diagnosis and procedure codes tied to visits, not therapy narrative. Software roles should mirror that separation — not one “admin sees everything” login shared by five people.

• Individual credentials for every staff member
• Session timeout on idle staff workstations
• Optional MFA for clinicians and administrators
• Audit trail when sensitive records are viewed or exported
• Prompt deactivation when employment ends

Trainees get their own logins under supervision — not borrowed supervisor credentials. Supervisors review cosign workflows per your licensing board rules; software should support clear attribution of who wrote and who signed each note.