The deal dies in the security review
Purpose-based access control makes minimum-necessary enforceable at query time

Introduction
Picture the buyer's side of your own enterprise sale. A hospital system's security office, a Tuesday, a stack of vendor assessments. Your product demo went beautifully three weeks ago; the clinicians are already asking when. In front of the reviewer is your questionnaire, and she is on question 41: "Describe how the system enforces minimum-necessary access to PHI, and how an access's purpose is recorded and reviewed."
Your answer says the system has role-based access control and audit logs. She has read that sentence from forty vendors. What she is actually asking is: when a nurse opened that record at 3am, can you tell me why, and would your system have stopped her if there was no why? If the honest answer is "anyone with the clinician role can open any record, and the log shows who but never why," the deal does not die in that meeting. It dies quietly, two committees later, as "we went with the other vendor."
In healthcare, access control is not a security feature. It is a sales document.
Roles say who. They never say why.
The gap has a precise shape. Role-based access answers one question: is this user the kind of person who may see this kind of data? It cannot answer the question HIPAA's minimum-necessary standard actually poses: is this access, right now, for a permitted purpose? A billing specialist legitimately needs diagnosis codes for claims, and has no business browsing psychotherapy notes; both live behind the same role. The clinician role that must open any chart in an emergency also, on paper, permits idle curiosity about a neighbor. Roles are the right first wall and a hopeless last one, because purpose is not a property of the user. It is a property of the moment.
Most systems paper over this with after-the-fact audit logs, which record everything and enforce nothing, an arrangement that discovers the breach in the quarterly review, several months and one notification letter too late.
Purpose as a first-class field
The method is purpose-based access control, and the shift is small to describe and structural to build: every request for patient data carries a declared purpose, and policy is evaluated against the purpose, not just the role.
Concretely: the application attaches context the system already knows, this user, this patient, treatment relationship or not, this workflow, billing screen versus chart review, and a purpose code drawn from a fixed vocabulary: treatment, payment, operations, and their narrower children. A policy engine evaluates the tuple at query time. Billing purposes reach billingrelevant fields, not the full chart. No treatment relationship means no routine access. For the genuine emergency there is break-glass: access granted immediately, loudly labeled, with a mandatory after-review, so the 3am save-a-life path stays open and the 3am curiosity path acquires a witness. And because purpose now enters the log alongside identity, the audit trail finally answers the reviewer's real question, who, what, and for what, and anomaly detection gets a signal worth watching: not "she accessed forty records," which describes every ward clerk, but "she accessed forty records outside any treatment relationship."
We built this layer into a clinical data platform whose enterprise pipeline kept stalling at security review; question 41 went from the longest answer in the document to the shortest, and the platform's own compliance team gained something they had never had: the ability to run minimum-necessary as a query, not as a training slide. (The training slides remained, as training slides do.)
A log that records who but not why is a list of suspects, not a control.
The counterargument is legitimate and clinical: physicians revolt against access friction, and any purpose system that adds clicks to treatment workflows will be defeated by its own users within a week. The design answer is that purpose should be inferred from context wherever the context is unambiguous, prompted only at the boundaries, and never allowed to slow the emergency path; break-glass exists precisely so the control never has to choose between safety and the patient.
TensorLabs builds healthcare data systems with this layer in from the start, because we have watched where the deals actually die. It is rarely the demo. It is question 41.
You might also like
Keep reading from the journal.
July 13, 2026Data
Your best week ever was a duplicate event
Event contracts put your tracking plan in CI, where bugs die cheap
July 13, 2026AI
Build a Bulk Product-Image Generation Service with Google Nano Banana 2 Lit
On June 30, 2026, Google released Nano Banana 2 Lite, an image generation model that produces a finished image in about 4 seconds and costs $0.034 per 1,000 images.
July 8, 2026Data
Add a Zero-API-Key LLM Review Gate to GitHub Actions with VibeThinker-3B
On June 17, 2026, nine researchers at Sina Weibo released VibeThinker-3B: a 3.1-billion-parameter reasoning model, MIT-licensed, post-trained on Alibaba's Qwen2.5-Coder-3B.