What does role-based access control (RBAC) do?

• A. A security model that blocks all access regardless of role.
• B. A security model where all users have full access to patient data.
• C. Access rights are assigned based on the user’s role to improve security and compliance.
• D. A model that uses passwords only for authentication.

Answer: (C)

RBAC assigns access rights based on a user’s role, so each person can perform only the actions their job requires. In healthcare IT this means clinicians, nurses, admins, and others access different parts of the system according to their role, which helps protect patient privacy and support regulatory compliance. By tying permissions to roles, organizations can enforce least privilege, make auditing easier, and simplify administration since changing a person’s role updates their access automatically. It’s not about blocking all access, giving everyone full access, or relying on passwords alone for access decisions—authentication verifies identity, while RBAC governs what that authenticated user is allowed to do based on their role.