Author: Tyler Zey
In healthcare data, the difference between a broad “Editor” role and a feature-specific permission can make—or break—your HIPAA compliance.
Today, we’re thrilled to introduce Fine-Grained User Permissions in Ours Privacy, giving you the power to assign per-action access across your entire CDP.
Editors, analysts, marketers, and compliance officers all need different slices of your data platform—whether it’s your CDP, CMP, reporting dashboards, marketing videos, or embedded maps.
Yet, most tools on the market today force everyone into broad, pre-packaged roles that either over-permit or under-power. With Ours Privacy’s new Fine-Grained User Permissions, you define exactly who can view, edit, or delete each feature—ensuring HIPAA’s minimum necessary standard is met at every click.
Why Granular Permissions Matter
In a healthcare organization, it’s common to see:
Marketing Editors embedding maps on your public site
Data Analysts querying patient behavior in the CDP
Compliance Teams reviewing audit logs and PHI exports
Privacy Managers adjusting CMP settings for opt-in banners
Frontend Engineers configuring recent events
Each role requires distinct privileges—and none should have blanket “Admin” powers. Fine-grained permissions should let you grant “List maps” to marketing without allowing them to see PHI. Or, allow data engineers just to work with sources and destinations withour viewing of PHI
HIPAA’s Minimum Necessary & Access Control Standards
The truth is — HIPAA doesn’t accept “one-size-fits-all” roles.
Two key rules drive our approach:
Minimum Necessary (45 CFR § 164.502(b))
“A covered entity must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use…”
Technical Access Controls (45 CFR § 164.312(a)(1))
“Implement technical policies and procedures … to allow access only to those persons … granted access rights.”
By mapping each system action—like map:embed:view, consent:banner:update, report:export—you prove compliance and reduce risk.
Tailored Access Across Your Toolset
Ours Privacy’s marketing all live under one roof—so you need one unified permissions engine.
Real-World Use Cases
Billing Department
Privacy Manager
Data Engineer
Front-End Developer
Each role can be built from reusable policies—and you can still tweak individual permissions at the user level when exceptions arise.
Getting Started
Go to Admin → Policies in your Ours Privacy dashboard.
Click Create Policy, select the feature categories (CDP, CMP, Video, Map, Reports), then pick actions (view, create, delete).
Assign tags like PHI or Non-PHI for audit clarity.
Under Admin → User Permissions, bind those policies to roles like Editor, Analyst, Marketer—or directly to individuals.
Publish your changes and watch enforcement happen in real time.
For full step-by-step instructions, see our Overview documentation.
Our Commitment to Compliance & Security
HIPAA compliance—and beyond—starts long before data leaves your system. It begins with properly defined, minimal roles that align with job functions. At Ours Privacy, we don’t just promise HIPAA-compliant marketing tools—we build secure foundations.
Our fine-grained user permissions empower you to enforce the least privileged access model across every tool and every user. That’s how you keep PHI safe and sleep better at night.
Example Policy and User Permissions Configuration
A Custom Billing Policy with only a few permissions allowed
See an overview of which policies and users have permissions that grant them accees to PHI
Assign policies and inline permissions to users
Share Article
