Accessing VIP/Dignitary Records

Purpose

Some patient records in the Immunization Information System (IIS) are protected by enhanced privacy controls due to their sensitive nature. These records belong to individuals classified as Very Important Persons (VIPs) or Dignitaries — such as government officials, foreign representatives, senior health executives, donors, or public figures.

Because these patients may require additional confidentiality and protection, access to their records is restricted. When a user attempts to open a VIP or Dignitary record, the system automatically requires re-authentication through a User Elevation dialog.

This ensures:

  • Only authorized users can view or edit sensitive records.

  • Each access event is properly documented with the user’s credentials, facility, and reason.

  • All actions are traceable through the audit log for compliance and accountability.

Overview

The User Elevation process is an additional layer of security designed to protect patient confidentiality. It activates automatically when any user attempts to open a record marked as VIP, Confidential, or Restricted in the patient’s profile.

Until the user successfully re-authenticates, all identifying details and clinical data remain hidden. Once authorized, the record behaves like any other patient file — but the elevated access is temporary and expires after logout or session timeout.

The system requires user elevation before displaying a restricted record.

This feature aligns with Ministry of Health data governance policies and global best practices for the protection of personal health information.

1

User searches for a patient (standard search logic applies).

2

User selects View to open the record.

3

If the record is flagged as VIP, Confidential, or Restricted, the User Elevation dialog appears.

4

Upon successful re-authentication, the Break The Glass (BTG) banner activates.

5

User works within the session. When finished, selects End or logs out to close BTG.

Searching for VIP or Restricted Records

Before a user encounters the User Elevation prompt, they must first find the correct patient record. VIP, Confidential, or Restricted records are not searchable by any special method — they appear in the standard Search Patients view like all other records, provided the search criteria match the saved data.

Example: Searching for “Dill” returns Tommy Pickles, who is linked to a parent named Dill Pickles.

Understanding Search Logic

By default, the IIS uses AND logic when processing search terms. This means that every word typed into the search bar must appear in the record for a match to be returned.

Search Term
Result
Explanation

princess peach

❌ No records found

The system searches for records containing both “princess” and “peach.”

princess

✅ Returns Princess Daisy

Returns all records containing the word “princess.”

If a record you expect to find does not appear, try using only one search term (for example, a single name or partial word). You can also use the Advanced Search option to include more parameters such as birth date, facility, or family members.

“Princess Peach” not found because the search is too specific.

“Princess” returns “Princess Daisy,” which is a VIP record requiring elevation.

Once the correct record is found, selecting View will trigger the elevation process if the record has VIP, Confidential, or Restricted status assigned.

System Behaviour

When accessing a restricted record, the system behaves differently than with a standard record:

Action
System Response

Opening a standard patient record

The Patient Dashboard loads immediately.

Opening a VIP / Dignitary / Restricted record

The User Elevation dialog appears before any data displays.

Successful authentication

Record opens normally; elevated access is active for the current session.

Authentication cancelled or failed

Access is blocked and the user is returned to the previous screen.

Patients flagged as Confidential or Restricted display this banner in the Waiting Room.

Restricted patients always require re-authentication when accessed from the Waiting Room or when starting a new visit. This is expected behavior to maintain confidentiality between workflows.

This prevents unauthorized users from viewing even basic demographic data (such as name or date of birth) until the system confirms who is requesting access and why.

Re-Authentication During Visits

When a Confidential, Restricted, or VIP patient appears in the Waiting Room, their record will display a red banner with a shield icon and the message:

“This record has been marked Confidential or Restricted and access requires additional authentication (Break the Glass condition).”

Each time a clinician clicks Visit or Start Visit for these patients, the User Elevation dialog will reappear — even if the user has already authenticated earlier in the same session.

This behaviour is intentional and ensures that:

  • Only the clinician directly performing the action re-confirms access.

  • Elevated access does not persist across screens or between visits.

  • All re-authentications are recorded in the audit log for accountability.

Restricted records do not remain unlocked. Each time a visit is opened, resumed, or reviewed from the Waiting Room, the user must re-enter their password and reason for access before continuing.

The User Elevation Process

The User Elevation dialog appears immediately after the user selects View or Visit on a restricted record. This is a mandatory security check that must be completed before continuing.

The User Elevation dialog prompts for password, reason, and facility.

The dialog contains several fields that must be correctly filled before access is granted.

Field Details

Field
Description

Username

Auto-filled with the user’s current login name.

Password

Must be re-entered to confirm the user’s identity.

Reason for Access

A required drop-down list documenting the purpose for access.

Facility

Indicates the user’s current working site.

Selecting the Correct Access Reason

Access Reason
Description

Treatment

The user is directly involved in providing clinical care to the patient.

Emergency Treatment

Immediate, life-saving access to the record.

Public Health

Surveillance, contact tracing, or official reporting.

Patient Request

The patient has requested review or update of their record.

Administrative / Research

Authorized access for approved program or research use.

Dropdown list of access reasons.

After all fields are completed, click Login to continue. If successful, the patient’s record will open as usual, but elevated access will only remain active until the session ends or navigation changes.

VIP / Dignitary Status Field

The VIP / Dignitary Status field is located within Demographics and determines whether a patient record is subject to restricted access.

VIP / Dignitary Status field in the patient’s Demographics panel.

When a value is selected here, the IIS automatically applies access control policies to that patient. This means that any attempt to open the record will require user elevation, regardless of the user’s role.

Available Status Options

Option
Description

Government Dignitary

National or provincial government official.

Foreign Dignitary

Visiting representative or diplomat.

Health Executive / Staff Physician

Senior member of the health service or hospital leadership.

Board Member / Donor

Recognized funder or institutional partner.

Staff Family Member

Close relative of a clinic or hospital employee.

Very Important Person (VIP)

Other public figure requiring elevated privacy.

Other (Specify)

Used for any case not covered by the above.

Duration and Expiry of Elevated Access

Once approved, elevated access remains active only for the current login session. When the user logs out or the session times out, the system automatically revokes elevated privileges. If the user returns later to the same record, they must repeat the User Elevation process.

If a user navigates away from the patient record — for example, to start a new visit or open another module — the elevated session will automatically close for security reasons. When returning to the patient’s record, the system will prompt for User Elevation again.

You may be required to re-authenticate multiple times when working with restricted records. This is normal system behavior and ensures that elevated privileges do not persist beyond the immediate task or screen.

If a BTG session expires while still viewing a restricted record, the system may display an error message or temporarily block actions until the user re-authenticates.

Restricted data are not visible during background synchronization or offline work — access must always be granted explicitly.

Session expiry ends elevated access automatically.

Break The Glass (BTG) Indicator

When a user successfully completes User Elevation, the system activates a Break The Glass (BTG) session. This indicates that the user is actively working within a restricted privacy context and that all actions are being recorded for audit.

The red BTG banner displays across the top of the screen when a restricted record is open.

The BTG banner remains visible for the entire duration of the elevated-access session and cannot be hidden. It acts as a visual reminder that the user is accessing sensitive data under special authorization.

Ending a BTG Session

When the review or update is finished, select End on the banner. This immediately closes the elevated session, hides restricted data, and records the action in the audit trail.

Ending a BTG session revokes elevated privileges immediately.

If a user logs out or the session times out, the BTG session ends automatically.

Oversight and Access Roles

Both clinical staff and authorized administrators interact with restricted records, but with different levels of permission:

Role
Typical Actions
Notes

Clinical Staff

Can access restricted or VIP records through User Elevation for legitimate patient care (e.g., treatment, vaccination, or follow-up).

Must always enter a valid Reason for Access such as Treatment or Public Health.

Supervisors / Managers

Can review audit logs or confirm correct use of elevation within their facility.

Do not modify national-level configuration.

System Administrators / Ministry Teams

Configure VIP categories, monitor system-wide audit activity, and ensure compliance with national privacy policy.

Manage policy settings in coordination with UNICEF technical teams.

While clinical users can perform User Elevation and work within restricted records, only Ministry and system administrators can modify privacy settings or national audit configurations.

HIV Confidentiality

All HIV status observations in the IIS are automatically treated as confidential records. This applies to every result — positive, negative, unknown, or not asked — to prevent users from inferring a patient’s HIV status based on whether access is restricted.

When a record containing HIV data is opened, the system requires User Elevation (Break the Glass) before any HIV-related details are displayed. Only users who re-authenticate with a valid Reason for Access (such as Treatment or Public Health) can view or update HIV results.

Restricting access to all HIV results, not just positive ones, upholds privacy, reduces stigma, and prevents accidental disclosure through record visibility or user access patterns.

Summary

The Accessing VIP / Dignitary Records and Break The Glass (BTG) features work together to protect sensitive health information. They ensure that data belonging to dignitaries, VIPs, or confidential patients can only be viewed or updated when appropriate authorization is granted — and that every action is documented for accountability.

Through user elevation, BTG visibility, and detailed audit logging, the IIS enforces a transparent, traceable, and compliant privacy framework consistent with national data-protection standards and WHO digital health guidance.

PreviousPatient DashboardNextSearch

Last updated