A single patient record is a shared record model that allows information to follow the patient across services and organisations. It improves continuity, but it also makes access governance, attribution, and boundary control more important because the same data can be touched by more roles in more places.
Expanded Definition
A single patient record is a shared longitudinal record model that lets clinical and operational data follow one person across hospitals, clinics, labs, and referral pathways. It is usually discussed as a care-continuity pattern rather than a purely technical database design, and usage in the industry is still evolving because different health systems implement it through shared care records, master patient indexes, or federated record views.
The model is most effective when identifiers are matched carefully, provenance is preserved, and access is segmented by role, purpose, and location. That makes it closely related to modern identity governance ideas in NIST Cybersecurity Framework 2.0, especially access control, data governance, and incident resilience. In NHI-heavy environments, the operational challenge is not only whether a clinician can see the record, but whether the right identity, service, or integration is allowed to touch the right slice of data at the right time.
The most common misapplication is treating a single patient record as a simple shared folder, which occurs when organisations merge data without enforcing provenance, consent, and boundary controls.
Examples and Use Cases
Implementing a single patient record rigorously often introduces coordination overhead, requiring organisations to balance continuity of care against tighter governance, more complex access rules, and stronger reconciliation processes.
- A patient attends an emergency department in one region, and the triage team can see allergies, medications, and prior admissions from other participating organisations through a shared record view.
- A cancer care pathway uses one longitudinal record so that imaging, pathology, and treatment notes remain linked, reducing duplication and improving handoffs across specialist teams.
- A digital front door app writes appointment and symptom data into a shared care record, but only after the identity service confirms which role is reading or updating each field.
- A federated health network uses the model to avoid fragmenting care, while still keeping local systems responsible for source-of-truth ownership and audit trails.
- Governance teams consult the Ultimate Guide to NHIs when the record is accessed through integration services, because non-human identities often become the practical control point for routing, synchronisation, and logging.
For implementation consistency, many programmes align the record-sharing design with NIST Cybersecurity Framework 2.0 so that access, logging, and recovery are defined as operational controls rather than informal workflow decisions.
Why It Matters in NHI Security
Single patient record architectures expand the number of systems, services, and identities that can interact with sensitive health data, which means the real risk often shifts from storage to access governance. In practice, that makes API keys, service accounts, workflow engines, and synchronisation jobs part of the security boundary. NHI Management Group data shows that only 5.7% of organisations have full visibility into their service accounts, which matters because hidden non-human identities can silently widen access to patient records.
This is why Ultimate Guide to NHIs is relevant here: a single patient record is only as secure as the identities that can query, update, or replicate it. When those identities are overprivileged, poorly rotated, or left active after a workflow changes, the record becomes easier to misuse even if the clinical intent is legitimate. The governance problem is also aligned with NIST Cybersecurity Framework 2.0, because resilience depends on knowing who or what can access the record, detecting misuse, and recovering quickly.
Organisations typically encounter the full impact only after a misrouted update, unauthorized lookup, or data-sharing incident exposes that the record boundary was weaker than the care pathway assumed, at which point the single patient record becomes operationally unavoidable to secure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and service-account exposure that often underpins shared record integrations. |
| NIST CSF 2.0 | PR.AC-4 | Addresses permission management for systems that read or update shared health records. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification before any identity accesses a shared record. |
Inventory non-human identities that touch patient records and tighten secret handling, rotation, and revocation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
