Chapter 3: User Roles & Permissions
Chapter Overview
What You'll Learn:
- Understanding all standard user roles in the system
- What permissions each role has
- The difference between platform roles and agency roles
- How to use the Custom Role Builder (advanced feature)
- Best practices for assigning roles to staff
- Security considerations for role management
Time to Complete: 15-20 minutes
Who Should Read This: Agency Administrators, Clinical Managers, anyone managing staff accounts
Prerequisites: Complete the Sandbox Signup and Dashboard Navigation chapters
3.1 Understanding User Roles
What are User Roles?
User Roles determine what a user can see and do in the system. Each role has a specific set of permissions that control access to features and data.
Key Concepts:
Role = A job function with predefined permissions
- Example: "RN Case Manager" can document visits, create care orders, etc.
Permission = Access to a specific feature or action
- Example: "CREATE_PATIENT" permission allows creating new patient records
User = A person assigned one or more roles
- Example: John Smith is an "RN Case Manager"
Two Types of Roles
The system has two categories of roles:
1. Platform Roles (Super Admin Level)
These are special roles for managing the entire platform:
| Role | Purpose | Access Level |
|---|---|---|
| Super Administrator | Platform management | ALL agencies, full access |
| Sales & Onboarding | Agency setup and support | Can create agencies, view all |
| Support Engineer | Technical support | Read-only access to agencies |
🔒 SECURITY: Platform roles are assigned by Betasky staff only. Agency administrators cannot create or assign these roles.
ℹ️ NOTE: If you're an agency user, you won't see or interact with platform roles. These are for Betasky internal staff only.
2. Agency Roles (Agency Level)
These are the standard roles for your agency staff:
| Role | Typical Job Function |
|---|---|
| Agency Administrator | Executive Director, Administrator |
| Clinical Manager | Director of Nursing, Clinical Director |
| Scheduler | Scheduling Coordinator |
| Biller | Billing Manager, Revenue Cycle Staff |
| Intake Coordinator | Admissions Coordinator |
| RN Case Manager | Registered Nurse, Care Coordinator |
| LPN / LVN | Licensed Practical Nurse |
| Therapist | PT, OT, SLP |
| Home Health Aide | HHA, CNA |
Plus: Custom Roles (if you have Custom Role Builder feature)
3.2 Standard Agency Roles Explained
Let's explore each standard agency role in detail.
1. Agency Administrator
Who: Executive Director, Administrator, Owner
Access Level: FULL AGENCY ACCESS
What They Can Do:
- ✅ Manage all agency settings (NPI, CCN, address, etc.)
- ✅ Create, edit, and delete users (all staff)
- ✅ Assign roles and permissions
- ✅ Set up payers, pharmacies, physicians
- ✅ Configure fee schedules and rates
- ✅ Access ALL patients and care orders
- ✅ View and manage ALL branches (multi-location)
- ✅ Schedule visits, document visits
- ✅ Perform QA reviews
- ✅ Generate and submit claims
- ✅ Post payments
- ✅ Submit OASIS to CMS (production)
- ✅ View all reports and analytics
- ✅ Request Go Live to production
Permissions Include:
- Full user management
- Full patient management
- Full clinical documentation
- Full billing access
- Full reporting access
- System configuration
💡 BEST PRACTICE: Limit Agency Administrator role to 1-3 trusted individuals. This role has complete control over the agency's system.
⚠️ SECURITY: Agency Administrators can delete users, modify sensitive data, and access billing information. Assign carefully.
2. Clinical Manager
Who: Director of Nursing, Clinical Director, Nurse Manager
Access Level: CLINICAL OVERSIGHT
What They Can Do:
- ✅ View all patients and care orders
- ✅ Create and edit patients
- ✅ Manage care orders (create, edit, initiate recertifications)
- ✅ Perform QA reviews (approve/return documents)
- ✅ Schedule visits for all clinicians
- ✅ View and manage compliance tasks
- ✅ Access OASIS submissions
- ✅ Create and manage physicians
- ✅ View reports and analytics
- ✅ Document visits (if also a clinician)
What They CANNOT Do:
- ❌ Modify agency settings (NPI, CCN, etc.)
- ❌ Create or delete users
- ❌ Change user roles or permissions
- ❌ Set up fee schedules or billing rates
- ❌ Generate claims or post payments
- ❌ Access Payment Posting module
Use Case:
- Clinical oversight of all patient care
- QA review authority
- Schedule management
- Compliance monitoring
- Staff clinical performance review
💡 BEST PRACTICE: Assign to your Director of Nursing or Clinical Director who oversees care quality but doesn't need billing access.
3. Scheduler
Who: Scheduling Coordinator, Office Manager (scheduling focus)
Access Level: SCHEDULING FOCUSED
What They Can Do:
- ✅ Access Schedule Center (full scheduling board)
- ✅ Create and schedule visits
- ✅ Assign visits to clinicians
- ✅ Reschedule and cancel visits
- ✅ View patient information (to schedule appropriately)
- ✅ View care orders (to schedule within cert period)
- ✅ Manage compliance tasks
- ✅ View clinician schedules
- ✅ Mark visits as missed
What They CANNOT Do:
- ❌ Document visits (clinical documentation)
- ❌ Perform QA reviews
- ❌ Create or edit patients
- ❌ Create care orders
- ❌ Access billing or claims
- ❌ Submit OASIS
- ❌ Modify agency settings
Use Case:
- Dedicated scheduling role
- Manages agency calendar
- Coordinates clinician assignments
- Monitors visit completion
💡 BEST PRACTICE: Perfect for non-clinical staff who manage the schedule full-time. They can see patient names and basic info but can't access detailed clinical data.
4. Biller
Who: Billing Manager, Revenue Cycle Specialist, Billing Coordinator
Access Level: BILLING & FINANCIAL FOCUSED
What They Can Do:
- ✅ Access Claims Center (all tabs)
- ✅ Generate claims from billable visits
- ✅ Mark claims as submitted
- ✅ Track claim status
- ✅ Manage claim denials
- ✅ Access Payment Posting
- ✅ Post payments to claims
- ✅ Process remittance batches (ERA/EOB)
- ✅ View patient information (for billing)
- ✅ View care orders (for claim grouping)
- ✅ Set up and manage fee schedules
- ✅ Configure billing rates
- ✅ View financial reports
What They CANNOT Do:
- ❌ Document visits (clinical documentation)
- ❌ Perform QA reviews
- ❌ Schedule visits
- ❌ Create or edit patients (beyond billing info)
- ❌ Submit OASIS to CMS
- ❌ Modify agency settings (except fee schedules)
Use Case:
- Revenue cycle management
- Claims submission and tracking
- Payment posting
- Denial management
- Financial reporting
💡 BEST PRACTICE: Billers need access to patient and visit data for claims but don't need clinical documentation access. They focus on the financial workflow.
5. Intake Coordinator
Who: Admissions Coordinator, Intake Specialist, Referral Coordinator
Access Level: PATIENT INTAKE FOCUSED
What They Can Do:
- ✅ Create new patients (full intake process)
- ✅ Complete all 9 intake tabs (Demographics through Referral Info)
- ✅ Edit patient information
- ✅ View patient list
- ✅ Access intake forms and data
- ✅ Create physicians (for referrals)
- ✅ View payers (for insurance verification)
- ✅ View pharmacies
What They CANNOT Do:
- ❌ Create care orders
- ❌ Schedule visits
- ❌ Document visits
- ❌ Perform QA reviews
- ❌ Access billing or claims
- ❌ Submit OASIS
- ❌ View sensitive clinical documentation
Use Case:
- First point of contact for new patients
- Completes intake paperwork
- Verifies insurance
- Gathers referral information
- Hands off to clinical team after intake complete
💡 BEST PRACTICE: Intake Coordinators should complete the patient intake, then clinical staff take over for care orders and visits.
6. RN Case Manager
Who: Registered Nurse, Care Coordinator, Case Manager, RN Clinician
Access Level: FULL CLINICAL ACCESS
What They Can Do:
- ✅ View and edit assigned patients
- ✅ Create care orders for their patients
- ✅ Schedule visits for their patients
- ✅ Access My Schedules (personal schedule)
- ✅ Document ALL visit types (SN, OASIS, supervisory, etc.)
- ✅ Complete OASIS assessments (all types)
- ✅ Submit OASIS for QA review
- ✅ Create and edit HHA Care Plans
- ✅ Initiate recertifications
- ✅ Initiate discharge, transfer, death assessments
- ✅ Create physician orders
- ✅ View care order details
- ✅ Access patient clinical data
- ✅ View QA feedback on returned documents
What They CANNOT Do:
- ❌ Perform QA reviews (can't approve own work)
- ❌ Access billing or claims
- ❌ Manage users or agency settings
- ❌ View patients not assigned to them (unless agency admin grants broader access)
Use Case:
- Primary clinician role
- Manages patient caseload
- Completes SOC visits and OASIS
- Coordinates care team
- Clinical documentation
💡 BEST PRACTICE: RN Case Managers are the backbone of home health. They should be assigned as Case Manager on patient records to have full access to their patients.
7. LPN / LVN
Who: Licensed Practical Nurse, Licensed Vocational Nurse
Access Level: LIMITED CLINICAL ACCESS
What They Can Do:
- ✅ View assigned patients
- ✅ Access My Schedules
- ✅ Document LVN visits (limited visit types)
- ✅ View care plans and physician orders
- ✅ View patient clinical data (read-only mostly)
What They CANNOT Do:
- ❌ Complete OASIS assessments
- ❌ Create care orders
- ❌ Initiate recertifications or discharges
- ❌ Create physician orders
- ❌ Schedule visits
- ❌ Perform QA reviews
- ❌ Access billing
Use Case:
- LPN/LVN field visits
- Follow care plan created by RN
- Document skilled nursing visits (limited scope)
- Report to supervising RN
💡 BEST PRACTICE: LPNs should be supervised by RNs. They can document visits but cannot complete OASIS or manage episodes.
⚠️ COMPLIANCE: LPN/LVN scope of practice varies by state. System permissions align with typical scope but agency should enforce state-specific rules.
8. Therapist
Who: Physical Therapist (PT), Occupational Therapist (OT), Speech Language Pathologist (SLP)
Access Level: THERAPY-SPECIFIC CLINICAL ACCESS
What They Can Do:
- ✅ View assigned patients
- ✅ Access My Schedules
- ✅ Document therapy visits (PT, OT, SLP visits)
- ✅ View care plans and physician orders
- ✅ View patient clinical data
- ✅ Complete OASIS assessments (if therapy is primary discipline)
- ✅ Create care orders (if designated as primary therapist)
What They CANNOT Do:
- ❌ Document nursing visits (SN, LVN)
- ❌ Document HHA visits
- ❌ Perform QA reviews
- ❌ Access billing
- ❌ Schedule visits (typically)
Use Case:
- Therapy visits and documentation
- Therapy-specific care planning
- OASIS completion when therapy is primary service
- Functional assessment
💡 BEST PRACTICE: Therapists should document their discipline's visits only. They can be case managers if therapy is the primary service.
9. Home Health Aide
Who: Home Health Aide, Certified Nursing Assistant (CNA)
Access Level: RESTRICTED TO HHA DUTIES
What They Can Do:
- ✅ View assigned patients (limited info)
- ✅ Access My Schedules
- ✅ Document HHA visits only
- ✅ View HHA Care Plan (their task list)
- ✅ Check in and check out of visits
What They CANNOT Do:
- ❌ View detailed patient clinical data
- ❌ Complete OASIS
- ❌ Document any other visit types
- ❌ Create or edit care orders
- ❌ Schedule visits
- ❌ View billing information
- ❌ Access QA reviews
Use Case:
- Personal care and ADL assistance
- Follow HHA Care Plan created by RN
- Document task completion
- Report changes to supervising RN
💡 BEST PRACTICE: HHAs have the most restricted access. They see only what they need to complete their visits and follow the care plan.
🔒 SECURITY: HHAs should not have access to sensitive patient information beyond what's needed for care tasks.
3.3 Permission Levels by Role - Quick Reference
Here's a comprehensive permission matrix showing what each role can do:
Permission Matrix
| Feature / Action | Agency Admin | Clinical Manager | Scheduler | Biller | Intake | RN Case Mgr | LPN/LVN | Therapist | HHA |
|---|---|---|---|---|---|---|---|---|---|
| USER MANAGEMENT | |||||||||
| Create/edit users | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Assign roles | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| View all users | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| PATIENT MANAGEMENT | |||||||||
| Create patients | ✅ | ✅ | ❌ | ❌ | ✅ | ✅* | ❌ | ❌ | ❌ |
| Edit patients | ✅ | ✅ | ❌ | ✅** | ✅ | ✅* | ❌ | ❌ | ❌ |
| View all patients | ✅ | ✅ | ✅ | ✅ | ✅ | ❌*** | ❌*** | ❌*** | ❌*** |
| CARE ORDERS | |||||||||
| Create care orders | ✅ | ✅ | ❌ | ❌ | ❌ | ✅* | ❌ | ✅* | ❌ |
| Initiate recert | ✅ | ✅ | ❌ | ❌ | ❌ | ✅* | ❌ | ✅* | ❌ |
| Initiate discharge | ✅ | ✅ | ❌ | ❌ | ❌ | ✅* | ❌ | ❌ | ❌ |
| SCHEDULING | |||||||||
| View schedule | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Create/schedule visits | ✅ | ✅ | ✅ | ❌ | ❌ | ✅* | ❌ | ❌ | ❌ |
| Reschedule visits | ✅ | ✅ | ✅ | ❌ | ❌ | ✅* | ✅**** | ✅**** | ❌ |
| CLINICAL DOCUMENTATION | |||||||||
| Document SN visits | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Document LVN visits | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Document PT/OT/SLP | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Document HHA visits | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ |
| Complete OASIS | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅***** | ❌ |
| QA REVIEW | |||||||||
| Perform QA reviews | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Approve documents | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Return for correction | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| BILLING & CLAIMS | |||||||||
| Generate claims | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Post payments | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage fee schedules | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| View claims | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| OASIS SUBMISSION | |||||||||
| Submit OASIS to CMS | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Export OASIS XML | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| REPORTS | |||||||||
| View all reports | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| SETUP & CONFIGURATION | |||||||||
| Manage payers | ✅ | ❌ | ❌ | ✅****** | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage pharmacies | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Manage physicians | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Agency settings | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Legend:
-
- = Only for their assigned patients
- ** = Billing information only
- *** = Only assigned patients (determined by caseload)
- **** = Can reschedule own visits only
- ***** = Only when therapy is primary discipline
- ****** = View only for billing purposes
3.4 Custom Role Builder (Advanced Feature)
What is the Custom Role Builder?
The Custom Role Builder is an advanced feature available with certain subscription plans (Pro Tier, Test, Enterprise Tier) that allows you to create custom roles beyond the standard 9 roles.
Available in:
- Pro Tier subscription
- Test subscription
- Enterprise Tier subscription
- (Not available in Growth Tier)
Why Use Custom Roles?
Standard roles work for most agencies, but you may need custom roles if:
✅ You have unique staff positions not covered by standard roles
- Example: "QA Specialist" who only does QA (not a full Clinical Manager)
✅ You want to restrict access more than standard roles
- Example: "Billing Assistant" who can view claims but not post payments
✅ You want to grant specific combinations of permissions
- Example: "Scheduler + Intake" role that can do both functions
✅ You have specialized departments
- Example: "OASIS Coordinator" who only completes OASIS
How Custom Role Builder Works
Access: Settings → Roles & Permissions → Create Custom Role
Process:
Step 1: Name Your Role
- Enter role name (e.g., "QA Specialist", "OASIS Coordinator")
- Add description explaining the role's purpose
Step 2: Select Permissions
- Browse all available permissions (organized by module)
- Check the permissions you want to grant
- Uncheck permissions you want to deny
Step 3: Preview & Save
- Review selected permissions
- Test the role (optional)
- Save custom role
Step 4: Assign to Users
- Go to User Management
- Assign your custom role to staff members
Permission Categories
When building a custom role, permissions are organized into categories:
1. Patient Management
- VIEW_PATIENTS
- CREATE_PATIENT
- EDIT_PATIENT
- DELETE_PATIENT
- MANAGE_PATIENT_DEMOGRAPHICS
- MANAGE_PATIENT_CLINICAL_DATA
2. Care Order Management
- VIEW_CARE_ORDERS
- CREATE_CARE_ORDER
- EDIT_CARE_ORDER
- INITIATE_RECERTIFICATION
- INITIATE_DISCHARGE
- INITIATE_TRANSFER
- INITIATE_ROC
3. Scheduling
- VIEW_SCHEDULE
- CREATE_VISIT
- EDIT_VISIT
- CANCEL_VISIT
- RESCHEDULE_VISIT
- ASSIGN_CLINICIAN
4. Clinical Documentation
- DOCUMENT_SN_VISIT
- DOCUMENT_LVN_VISIT
- DOCUMENT_PT_VISIT
- DOCUMENT_OT_VISIT
- DOCUMENT_SLP_VISIT
- DOCUMENT_MSW_VISIT
- DOCUMENT_HHA_VISIT
- COMPLETE_OASIS
- CREATE_HHA_CARE_PLAN
5. QA Review
- VIEW_QA_QUEUE
- APPROVE_DOCUMENT
- RETURN_DOCUMENT
- REMOVE_DOCUMENT
- MARK_DOCUMENT_ACTIVE
6. Billing & Claims
- VIEW_CLAIMS
- GENERATE_CLAIM
- SUBMIT_CLAIM
- VOID_CLAIM
- POST_PAYMENT
- MANAGE_FEE_SCHEDULES
- MANAGE_DENIALS
7. OASIS Submission
- VIEW_OASIS_SUBMISSIONS
- EXPORT_OASIS_XML
- MARK_OASIS_SUBMITTED
- MARK_OASIS_ACCEPTED
8. Prior Authorization
- VIEW_PRIOR_AUTHORIZATIONS
- CREATE_PRIOR_AUTHORIZATION
- EDIT_PRIOR_AUTHORIZATION
- APPROVE_PRIOR_AUTHORIZATION
9. Reporting
- VIEW_REPORTS
- EXPORT_REPORTS
- CREATE_CUSTOM_REPORTS
10. Setup & Configuration
- MANAGE_USERS
- MANAGE_PAYERS
- MANAGE_PHYSICIANS
- MANAGE_PHARMACIES
- MANAGE_VISIT_TYPES
- MANAGE_BRANCHES
- MANAGE_AGENCY_SETTINGS
11. Branch Access
- MANAGE_BRANCHES
- VIEW_ALL_BRANCHES
- EDIT_BRANCH_ACCESS
...and many more!
Custom Role Examples
Here are some real-world custom role examples:
Example 1: QA Specialist
Purpose: Dedicated QA reviewer (not full Clinical Manager)
Permissions:
- ✅ VIEW_PATIENTS
- ✅ VIEW_CARE_ORDERS
- ✅ VIEW_QA_QUEUE
- ✅ APPROVE_DOCUMENT
- ✅ RETURN_DOCUMENT
- ✅ VIEW_CLINICAL_DOCUMENTS
- ❌ Everything else
Use Case: Staff member who only performs QA reviews, doesn't schedule or create care orders.
Example 2: OASIS Coordinator
Purpose: Specialized OASIS completion role
Permissions:
- ✅ VIEW_PATIENTS
- ✅ VIEW_CARE_ORDERS
- ✅ COMPLETE_OASIS (all types)
- ✅ VIEW_OASIS_SUBMISSIONS
- ✅ EXPORT_OASIS_XML
- ✅ VIEW_REPORTS (OASIS-related)
- ❌ Cannot schedule, bill, or perform QA
Use Case: RN dedicated to OASIS completion only, doesn't do field visits.
Example 3: Billing Assistant
Purpose: Junior billing role with limited access
Permissions:
- ✅ VIEW_CLAIMS
- ✅ VIEW_PATIENTS (billing info only)
- ✅ VIEW_CARE_ORDERS
- ❌ Cannot generate claims
- ❌ Cannot post payments
- ❌ Cannot manage fee schedules
Use Case: Assistant who tracks claims but doesn't generate or post payments.
Example 4: Scheduler + Intake
Purpose: Combined role for small agencies
Permissions:
- ✅ CREATE_PATIENT (full intake)
- ✅ EDIT_PATIENT
- ✅ VIEW_SCHEDULE
- ✅ CREATE_VISIT
- ✅ ASSIGN_CLINICIAN
- ✅ RESCHEDULE_VISIT
- ❌ Cannot document visits or perform QA
Use Case: Office staff who handles both intake and scheduling.
Custom Role Best Practices
💡 Best Practices:
Start with Standard Roles:
- Use standard roles for 90% of staff
- Only create custom roles when necessary
- Don't over-complicate your role structure
Follow Principle of Least Privilege:
- Grant only the permissions needed for the job
- Don't give "just in case" permissions
- Review and remove unused permissions
Name Roles Clearly:
- Use descriptive names: "QA Specialist" not "Role 1"
- Include department if helpful: "Billing Assistant", "Clinical QA"
- Make it obvious what the role does
Document Your Custom Roles:
- Keep a document explaining each custom role
- List what permissions are included
- Explain when to assign each role
Review Regularly:
- Audit custom roles quarterly
- Remove unused custom roles
- Update permissions as needs change
Test Before Assigning:
- Create a test user with the custom role
- Verify they can access what they need
- Verify they CANNOT access what they shouldn't
Custom Role Limitations
⚠️ Important Limitations:
Cannot Override System Rules:
- Custom roles respect system business rules
- Example: Can't approve own documents even with APPROVE_DOCUMENT permission
- Example: Can't schedule visits outside cert period
Cannot Grant Platform-Level Access:
- Custom roles are agency-level only
- Cannot create "super admin" type roles
- Cannot grant cross-agency access
Subscription Required:
- Custom Role Builder requires Pro, Test, or Enterprise plan
- Growth Tier subscribers use standard roles only
Maximum Custom Roles:
- Most plans allow up to 10-20 custom roles
- Check your subscription plan for exact limit
3.5 Role Assignment Best Practices
How to Assign Roles to Staff
When creating a new user:
Step 1: Identify their primary job function
- What will they do most often?
- What's their job title?
Step 2: Choose the matching standard role
- Start with standard roles
- 90% of staff fit into standard roles
Step 3: Consider custom roles only if needed
- Does a standard role not fit?
- Do they need unusual permission combinations?
Step 4: Assign the role in User Management
- Settings → User Management → Add User
- Select role from dropdown
- Save user
Multiple Roles (Advanced)
Can a user have multiple roles?
The system typically assigns one primary role per user. However, there are scenarios where multiple role assignments make sense:
Scenario 1: Dual Function Staff
- RN who also does scheduling: "RN Case Manager" + custom scheduling permissions
- Clinical Manager who also does QA: "Clinical Manager" role (already includes QA)
Scenario 2: Coverage Roles
- Backup billing person: Primary role + limited billing permissions
- Cross-trained staff: Multiple role capabilities
ℹ️ NOTE: Check with your system administrator or support to confirm if your subscription supports multiple role assignments per user.
Role Assignment by Agency Size
Small Agencies (1-10 staff):
- Fewer, broader roles
- Staff wear multiple hats
- Consider combined custom roles
- Example: "Scheduler + Intake Coordinator"
Medium Agencies (11-50 staff):
- Standard roles work well
- Some custom roles for specialists
- Example: Dedicated QA person = "QA Specialist" custom role
Large Agencies (51+ staff):
- Standard roles for most staff
- Custom roles for specialists
- Department-specific roles
- Example: "OASIS Coordinator", "PA Specialist", "QA Specialist"
Security Best Practices
🔒 Security Guidelines:
1. Least Privilege Principle
- Give users only what they need to do their job
- Don't give "everything" access to avoid future restrictions
- Review permissions during performance reviews
2. Regular Access Reviews
- Quarterly: Review who has what access
- Check for terminated employees (deactivate immediately)
- Remove unnecessary permissions
3. Separation of Duties
- Billing and QA should be different people
- Don't let clinicians approve their own documents
- Agency Admins should be separate from daily operations (when possible)
4. Audit Trail
- System logs all user actions
- Review audit logs for suspicious activity
- Track who approved what, who billed what
5. Offboarding Process
- Immediate: Deactivate user account when employee leaves
- Don't delete - preserve audit trail
- Transfer patient assignments to other staff
Common Role Assignment Mistakes
❌ Mistakes to Avoid:
Mistake 1: Everyone is an Agency Administrator
- Problem: Too many people with full access
- Fix: Only 1-3 Agency Admins, everyone else gets appropriate role
Mistake 2: Using wrong role for job function
- Problem: RN assigned "Therapist" role can't document SN visits
- Fix: Match role to actual job duties
Mistake 3: Not updating roles when duties change
- Problem: Former biller still has billing access after moving to clinical
- Fix: Update role when job function changes
Mistake 4: Creating too many custom roles
- Problem: 20 custom roles, nobody knows what they mean
- Fix: Use standard roles, create custom only when necessary
Mistake 5: Forgetting to deactivate terminated employees
- Problem: Ex-employee still has system access
- Fix: Immediate deactivation on last day of work
3.6 Switching Between Roles (If Applicable)
Can Users Switch Roles?
Typically: NO
Users are assigned one role (or multiple if supported) and cannot switch between them on their own. Role assignment is controlled by Agency Administrators only.
Exception: Multi-Agency Users
- Platform-level users (Super Admin, Sales, Support)
- May have different roles in different agencies
- Role applies based on current agency context
Why this restriction?
- Security: Prevents privilege escalation
- Audit trail: Clear accountability for actions
- Compliance: Ensures appropriate access control
Role Changes During Employment
If a staff member's job function changes:
Process:
- Agency Administrator accesses User Management
- Edits the user's account
- Changes the assigned role
- Saves the change
- User's permissions update immediately (may need to log out/in)
Example:
- Sarah was "Intake Coordinator"
- She's promoted to "Clinical Manager"
- Admin changes her role to "Clinical Manager"
- Sarah now has Clinical Manager permissions