You’re mid-session. The client is finally opening up about a crisis at home, and you need to pull a prior assessment to track a pattern you’ve been watching for weeks. The system blocks you. The record is there, but your role doesn’t have visibility into that field. So you stop. You ask a colleague to look it up. Or you text someone for a screenshot. Or you just document from memory and move on.
That moment, repeated across shifts and caseloads, is what access friction looks like in behavioral health. And it carries more weight than most organizations realize. When the workaround becomes the workflow, the compliance exposure follows.
The good news: most access friction comes from fixable mismatches between how permissions are configured and how care actually gets delivered.
What Good Access Feels Like and Where It Breaks Down
Role-based access control (RBAC) should be invisible when it’s working. The right chart elements appear when you need them. Sensitive records stay protected without creating roadblocks. Handoffs between intake, clinical, and billing flow without permission gaps that force someone to chase down information.
That’s the design intent. Here’s what frontline staff actually experience.
Intake coordinators can’t see the fields they need to complete initial assessments, so clinicians get pulled in to relay information that should already be accessible. Supervisors need chart visibility for oversight but don’t need editing access, and the system doesn’t distinguish between the two.
Coverage and on-call staff can’t access crisis-relevant details when they’re filling in, because their permissions mirror a default “clinical” template that wasn’t built for cross-caseload scenarios. And in organizations where the access request process takes days, staff share logins or text screenshots of records because the workaround is faster than the fix.
These aren’t reckless decisions. They’re rational responses to a permissions model that doesn’t match the work. Based on our work with behavioral health organizations, these friction patterns show up in nearly every access review we conduct. But every shared login, every texted screenshot, every copied record creates a compliance exposure that falls on the organization and, ultimately, on the people delivering care. Across healthcare settings, ambulatory physicians already spend nearly six hours on EHR tasks for every eight hours of scheduled patient time (AMA, 2024). Permission gaps compound that burden in ways that rarely show up in productivity reports.
When clinicians build workarounds to get their jobs done, the system has failed them. The workaround is a symptom. The permissions model is the cause.
A “Real Team” Model That Matches How You Actually Work
Generic RBAC categories like “Staff” or “Clinical” don’t reflect how behavioral health teams function. A counselor, an intake coordinator, a care coordinator, and a billing specialist all fall under broad role labels, but their workflow needs are completely different. SAMHSA has identified workload and control as two of six organizational drivers of burnout in behavioral health (SAMHSA, 2022). Poorly configured access contributes to both. It adds unnecessary steps to routine tasks and removes clinicians’ control over how efficiently they can deliver care.
A “Real Team” model maps permissions to recognizable roles based on what each position actually needs to do. Intake coordinators get access to demographic, insurance, and initial assessment fields with limited clinical note visibility. Clinicians see their own caseload documentation and appropriately segmented records, with billing detail restricted. Care coordinators get cross-caseload visibility for coordination without access to clinical notes outside their scope.
Billing staff see claims-relevant data without clinical narratives. Supervisors get read-level oversight across team caseloads without edit permissions.
Two additional roles matter in behavioral health and often get overlooked. Coverage and on-call staff need time-bound access to active crisis information that expires when the coverage period ends. Students and interns need narrower permissions with supervisor co-signature requirements built into the workflow.
Least privilege is the underlying principle. NIST defines it as granting each user the minimum access necessary to perform their assigned function (NIST, 2020). In practice, this means access expands based on documented workflow need, exceptions are time-bound and tracked, and emergency access exists with post-event review. Fair access rules give every role exactly what it needs to deliver care, with no unnecessary barriers and no unintended exposure.
How to Document Friction and Help Fix It
If the principle sounds right but the reality doesn’t match, the gap between the two is where frontline intelligence matters most. Most organizations never ask the people doing the work where access is broken.
Your leadership team should be reviewing access governance (the companion piece to this post makes the case for why). When they do, documented friction from frontline staff is the most credible input they can get. ONC and CMS have both acknowledged that configuration and implementation decisions made at the organizational level are primary drivers of EHR usability challenges (HHS/ONC, 2020). That means the friction you’re experiencing is a design problem, and your observations are the diagnostic data.
Three practical exercises can turn daily frustration into actionable evidence. First, track the things you get blocked from every week. What are you trying to do, and what stops you? Second, identify what you can see but probably shouldn’t have access to. What shows up in your view that isn’t relevant to your role? Third, count the interruptions. How often do you ask someone else for access, and how often does someone ask you?
This documentation drives specific improvements. It eliminates repeated IT tickets by creating role templates that match actual job function. It produces cleaner handoff sequences from intake to clinician to billing, where each step has the right permissions pre-configured. And it shapes default views so clinicians stop wading through irrelevant screens.
The people closest to the work are the best diagnosticians for what’s broken in the system. Document the friction. That’s how it gets fixed.
Your Workflow Is the Evidence
Access friction feels small in the moment. One blocked field, one workaround, one interrupted session. But it compounds across every shift, every handoff, and every shared login. Most of it is fixable with targeted configuration changes. It starts with naming the friction, mapping permissions to how work actually happens, and making sure the people delivering care have a voice in the solution.
Based on our experience with behavioral health organizations, the most impactful access improvements start with the people who use the system every day describing exactly where it fails them. Your daily experience is valuable intelligence. Use it.
What’s the one access issue that costs you the most time every week? If you can name it, you’re already halfway to fixing it. Contact Xp/contact-xpio-health/io Health to build access models around how your frontline teams actually work.
#BehavioralHealth #PeopleFirst #XpioHealth #RBAC #ClinicalWorkflow #EHROptimization
References
- Sinsky, C.A. et al. EHR Time Across Ambulatory Specialties. Journal of General Internal Medicine. 2024. https://www.ama-assn.org/practice-management/digital-health/five-physician-specialties-spend-most-time-ehr
- Substance Abuse and Mental Health Services Administration. Addressing Burnout in the Behavioral Health Workforce Through Organizational Strategies. SAMHSA Publication No. PEP22-06-02-005. 2022. https://psnet.ahrq.gov/issue/addressing-burnout-behavioral-health-workforce-through-organizational-strategies
- National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53, Rev. 5. 2020. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
- Office of the National Coordinator for Health Information Technology. Usability and Provider Burden. HHS. 2020. https://healthit.gov/usability-and-provider-burden/