Access controls | Accountable Docs

Access controls

Who has access to what, and what changed since you last looked.

Access Controls answers two questions any auditor will ask: who has access to PHI right now, and what's changed since you last looked?

What it tracks

When connected to your identity provider (Google Workspace or Microsoft 365), Access Controls inventories every user, every app they have access to, and their role in each. It watches for changes — new access granted, off-boarded employees still in apps, dormant accounts.

Open Access Controls under People & Training in the left sidebar.

The off-boarding gap

The single most common audit finding

Departed employees who still have access to systems with PHI is the most cited access-control finding in OCR breach reports. It happens because off-boarding usually involves deactivating the email account but not the half-dozen SaaS apps tied to it.

Access Controls catches this. When an employee is removed from your IdP, you can see which PHI-touching apps they still appear to have access to.

Access reviews

HIPAA expects periodic review of who has access to what. Compliance Copilot can walk you through your access review: "Walk me through this quarter's access review and tell me which decisions look risky." It will pre-flag rows that don't match your patterns (e.g., a marketer with billing-system access, or a contractor with admin rights).

You can also revoke vendor access through Copilot when you identify access that should be removed.

Last updated April 29, 2026
Was this helpful?