Which principle primarily governs keeping patient records accessible only to authorized personnel?

Access controls govern keeping patient records accessible only to authorized personnel by enforcing authentication, authorization, and the principle of least privilege. In practice, this means verifying who a person is, determining what they are allowed to access based on their role, and restricting actions to what is necessary for their duties. This direct control over who can view or modify records is the key defense against inadvertent or malicious exposure of patient information. Data encryption helps protect data if it’s accessed by someone who shouldn’t read it, but it doesn’t determine who is allowed to access the data in the first place. Audit trails are important for accountability, recording who accessed what and when, but they don’t prevent unauthorized access on their own. Retention timelines deal with how long records are kept and when they’re disposed of, not with controlling access.