CareHub provides flexible, customizable user permission settings that let your organization control access by role, module, and participant. This article walks through user access levels, roles, cohorts, and security roles, and explains how they work together across CareHub and the Clinical EMR.
These features will be rolled out in discussion with each PACE org July 2026.
π₯ See a full video walkthrough:
Overview of user permissions in CareHub
CareHub provides four levels of user permissions:
- Access β Privilege set to Org Admin, Standard User, or Read-Only.
- Role β Built-in PACE roles and/or IDT roles.
- Security Roles β Access to modules and actions.
- Cohorts β Participant access, assigned by security role.
User access
- Org Admin β Full access to Settings, including managing users, roles, cohorts, and security roles. Module and field level permissions are configurable.
- Standard User β Access based on assigned permissions.
- Read-Only User β Can view information but cannot make edits.
β Note: New users default to Basic access in CareHub. PACE org is responsible for assigning security roles and patient cohorts as applicable.
User roles: primary and secondary
Each user is assigned a primary role and may also have a secondary IDT role if needed.
Examples:
- An RN who also functions as a Home Care Coordinator.
- A staff member with dual responsibilities across teams.
How roles are managed:
- New users added to shared user roster will be assigned a primary IDT role.
- Org Admins can edit roles in CareHub > Settings > Users > Edit
- Update a primary role and, if applicable, a secondary IDT role.
Security roles vs. access levels
- Access level determines who can administer settings.
- Security roles determine what users can see and do.
Security roles control:
- Module access and permissions
- Report visibility
- Participant (patient) access
- Special field-level permissions
Security roles are fully customizable and can be combined as needed β though best practice is to limit users to as few roles as possible, since CareHub always grants the highest permission level assigned.
Patient cohorts and participant access
If access needs to be restricted to specific participants, patient cohorts must be created first.
Step 1: Create patient cohorts in the Clinical EMR
Patient cohorts begin in the Clinical EMR and control chart access.
- Navigate to Settings β Admin Users Only β Security & Privacy.
- Choose a chart access control method:
- Strict Access Control (recommended): Unauthorized users cannot access charts.
- Warnings & Optional Bypass (optional): Allows users without temporary access to restricted patient chart (this will be logged for administrator review)
β Best practice: Use Strict Access Control.
Step 2: Define cohort criteria using patient tags
Criteria options are limited, so patient tags are recommended.
To create or assign patient tags:
- Open a participant's chart.
- Select Edit.
- Add or update the patient tag.
- Save changes.
Org Admins control which tags are available.
Step 3: Create user groups
User groups define which users will have access to a cohort.
- Navigate to Settings β Admin Users β User Groups.
- Create a group (for example, "IDT Blue").
- Add users from the active user list.
- Save.
β Tip: Use the same naming for patient tags, user groups, and cohorts to avoid confusion.
Step 4: Create patient cohorts in the Clinical EMR
- Navigate to Reports β Patient Cohorts.
- Select Create a Patient Cohort.
- Choose criteria (recommended: patient tags).
- Preview participants.
- Save the cohort.
- Assign the corresponding user group.
Once created, cohorts automatically update as patients meet the criteria.
Creating cohorts in CareHub
After Clinical EMR setup is complete:
- Navigate to CareHub β Cohorts.
- Select Actions β Add New Cohort.
- Name the cohort (match Clinical EMR naming).
- Optionally add a description.
- Select participants.
- Select Add Cohort.
Important notes:
- The user adding participants must have full system access.
- Unlike the Clinical EMR, new participants must be manually added to existing CareHub cohorts.
Creating and managing security roles
Step 1: Create a security role
- Navigate to Settings β Security Roles.
- Select Add Security Role.
- Enter a name and description (recommended).
- Assign users individually or by team.
Step 2: Configure module permissions
All users always have access to:
- Tasks*
- IDT Meeting
- Scheduling
Other modules can be set to one of the following levels:
| Permission level | What it allows |
|---|---|
| None | Module is hidden from the user's navigation. |
| Read | View only. |
| Write | Full edit access. |
| Delete | Full edit access, plus the ability to remove items (highest permission). |
Some modules behave differently regardless of the level selected:
| Module group | Modules | Available access |
|---|---|---|
| Always accessible | Tasks, IDT Meeting, Scheduling | Available to all users; cannot be restricted. |
| Read-only | Timeline, Conditions, Labs, Vitals | View only; these modules cannot be edited in CareHub. |
| Configurable | All other modules | None, Read, Write, or Delete. |
Assessment permissions
Assessment access combines module-level permissions (None/Read/Write/Delete) with two field-level controls: Edit assessment details and Edit all assessments (without being assigned). Role-based section editing is preserved β users can edit only the sections assigned to their role, and unassigned sections remain read-only unless they have the "edit all assessments" permission.
| Action | Read | Write | Delete | Edit assessment details | Edit all assessments (without being assigned) FUTURE RELEASE-Q3 2026 |
|---|---|---|---|---|---|
| View assessments | β | β | β | β | β |
| Edit who is assigned to an assessment | β | β | β | β | β |
| Edit sections assigned to the user | β | β | β | β | β |
| Edit sections regardless of assignment | β | β | β | β | β |
| Remove Standard Assessment or Status Change Assessment | β | β | β | β | β |
Care Plan permissions
Care Plan access combines module-level permissions (None/Read/Write/Delete) with field-level control: Can change care plan due date.
| Action | Read | Write | Delete | Can change care plan due date |
|---|---|---|---|---|
| View care plans | β | β | β | β |
| Edit care plan due date | β | β | β | β |
| Edit care plan | β | β | β | β |
| Remove intervention | β | β | β | β |
SDR permissions
SDR access is module-level permissions only (None/Read/Write/Delete)
| Action | Read | Write | Delete |
|---|---|---|---|
| Add new SDR | β | β | β |
| View SDR | β | β | β |
| Edit SDR | β | β | β |
| Apply SDR Extension | β | β | β |
| Withdraw SDR | β | β | β |
| Remove SDR | β | β | β |
Incident permissions
Incident access is module-level permissions only (None/Read/Write/Delete)
| Action | Read | Write | Delete |
|---|---|---|---|
| Add new incident | β | β | β |
| View Incident | β | β | β |
| Edit Incident | β | β | β |
| Delete incident | β | β | β |
Medication Administration permissions
Medication Administration access is module-level permissions (None/Read/Write/Delete) with role-based considerations if Co-Signature applies.
| Action | Read | Write | Delete | Registered Nurse role |
|---|---|---|---|---|
| View Active Medications | β | β | β | β |
| View Medication Administration | β | β | β | β |
| Add Medication to MAR (Routine or PRN) | β | β | β | β |
| Record Medication Administration | β | β | β | β |
| Amend Medication Administration *same day only | β | β | β | β |
| Remove Medication from MAR (Routine or PRN) | β | β | β | β |
| Record Co-Signature for Medication Administration | β | β | β | β |
Grievance permissions
Grievances use a dedicated Grievance Permissions section on the security role, separate from the general module levels above. There are two access levels β Admin and Non-Admin. Tasks associated with grievances follow these same permissions.
| Action | Admin | Non-Admin |
|---|---|---|
| Create grievances | β | β |
| View / edit grievances they created or are assigned to | β | β |
| View / edit all grievances | β | β |
| Resolve, close, withdraw, remove, or restore a grievance | β | β |
| View / edit tasks for grievances they created or are assigned to | β | β |
| View / edit tasks for all grievances | β | β |
Non-Admin users cannot see grievances they did not create or are not assigned to, and *tasks tied to grievances outside their scope are hidden from them. Admin users see all grievances and all grievance-related tasks regardless of assignment.
Step 3: Configure report permissions
- Determines which reports appear in the left-hand navigation.
- If all are set to None, the Reports module is hidden.
Step 4: Configure participant access
Options include:
- View All Participants β No restrictions.
- Cohort-Based Access β Limit access to assigned cohorts.
- Individual Participants β Extend access beyond a cohort if needed.
β οΈ Reminder: Clinical EMR permissions must also align.
Step 5: Field-level permissions
Optional permissions are
- Viewing Social Security Numbers- this allows user to view in Participant Profile upon "Edit" action. SSN does not appear in the main view.
- Deleting tasks - delete a task assigned to themselves or another user. *This permanently removes from the system with no ability to restore or track via change log.
- Changing care plan due dates - with a draft open, update the care plan due date for all users
- Mark participant as test -- option within profile or enrollment to designate participant as test, therefore not including them in any reporting
- edit assessment details - re-assign users who are assigned to complete an In Progress assessment
Select Add Security Role to save.
Updating user permissions
User permissions can be updated:
- Through the Security Role
- Directly on an individual user record
Changes take effect immediately.
What users experience by role
- Basic (permissions enabled, no security role assigned) β Access only to Tasks, IDT Meeting, and Scheduling.
- Read-Only Role β Can view all modules but cannot edit.
- Cohort-Restricted Role β Can only see participants assigned to their cohort.
If a user lacks chart access in the Clinical EMR, they may see an "Access Not Authorized" message when attempting to open a chart.
Best practice recommendations
- Assign only one Security Role per user whenever possible.
- If multiple roles are required, remember that the highest permission always overrides lower permissions.
- Use Delete permissions sparingly due to their broad impact.
Frequently Asked Questions
A user can't see a module in their navigation. Why?
If a user has no Read access to a module, that module is hidden entirely. If permissions are enabled and the user has no security role assigned, they will only see Tasks, IDT Meeting, and Scheduling. Assign an appropriate security role to restore access.
A user has two roles with different permission levels for the same module. Which one applies?
The highest permission always wins. CareHub grants the highest level assigned across all of a user's roles, so a permissive secondary role will override a more restrictive primary role. If a user needs limited access, avoid assigning an additional permissive role.
A user sees an "Access Not Authorized" message when opening a participant's chart. What's wrong?
This means the user lacks chart access in the Clinical EMR. CareHub cohort access and Clinical EMR permissions must align β confirm the user belongs to the correct user group and cohort in the Clinical EMR.
I enrolled a new participant, but a cohort-restricted user still can't see them. Why?
In the Clinical EMR, cohorts update automatically as participants meet the criteria. In CareHub, new participants must be manually added to existing cohorts. Add the participant to the relevant CareHub cohort to grant access.
How do I give a user access to only a specific group of participants?
Use Cohort-Based Access on the security role and assign the appropriate cohort. If a user needs access to a few participants beyond their cohort, use the Individual Participants option to extend access.
A user needs to view Social Security Numbers or delete tasks. How do I enable that?
These are field-level permissions configured on the security role (Step 5). Field-level permissions also include changing care plan due dates. Enable the specific permission the user needs on their assigned role.
Why can't a Read-Only user edit anything?
A Read-Only role allows the user to view all modules they have access to but not make edits. To allow editing, assign a security role with Write (or Delete) permissions for the relevant modules.
Do permission changes take effect right away?
Yes. Changes made through a security role or directly on a user record take effect immediately.
Need help?
If you have questions about user permissions:
- PreβGo Live: Discuss with your Implementation Consultant or Training Consultant.
- PostβGo Live: Submit a Support ticket.
Updated July 7, 2026
Comments
0 comments
Please sign in to leave a comment.