PII & PHI Access Controls
Qarion provides fine-grained controls for managing access to Personally Identifiable Information (PII) and Protected Health Information (PHI) on a per-product, per-role basis.
Overview
By default, users who have access to a data product see masked values for columns flagged as PII or PHI. To view unmasked data, users must be granted explicit PII/PHI access through a product's role configuration.
This ensures compliance with data privacy regulations by making sensitive data access opt-in rather than opt-out.
How PII/PHI Access Works
At the Product Level
Each data product can be configured with applicable roles — these are the access roles available when users request access to the product. Each role can independently grant:
- PII Access — View unmasked personally identifiable information
- PHI Access — View unmasked protected health information
For example, a product might have:
| Role | Grants PII | Grants PHI |
|---|---|---|
| Viewer | ❌ | ❌ |
| Analyst | ✅ | ❌ |
| Data Steward | ✅ | ✅ |
At the Column Level
Individual columns are tagged with sensitivity classifications:
- is_pii — Boolean flag indicating the column contains personally identifiable information
- is_phi — Boolean flag indicating the column contains protected health information
- Sensitivity — String classification that can also trigger masking:
public,internal,confidential,pii,phi,financial
A column is considered sensitive if any of the following is true:
is_piiis set totrueis_phiis set totruesensitivityis set to"pii"or"phi"
These tags are set by data stewards or inherited from metadata scraping. The system evaluates both boolean flags and the sensitivity string when deciding whether to mask a column.
Query Editor Behavior
When a user runs queries in the SQL Query Editor:
- The system checks whether the user's current role on the queried product grants PII/PHI access
- Columns flagged as PII or PHI are masked (
***MASKED***) if the user's role does not grant access - Masking applies to both the result grid and exported data (CSV/JSON)
Data Profiling Behavior
Columns flagged as PII are automatically excluded from data profiling to prevent sensitive values from being stored in profile statistics.
Managing PII/PHI Access
Configuring Product Roles
Space administrators configure PII/PHI access flags on product roles:
- Open the product in the catalog
- Navigate to the Access tab
- Under Applicable Roles, toggle PII and/or PHI access for each role
Requesting Access
Users request access through the standard access request workflow. The request specifies which role they need, and the approval workflow includes visibility into whether the role grants PII/PHI access.
Auditing Access
All PII/PHI access grants are visible in:
- The product's role configuration panel
- Access request history
- Audit logs (if comprehensive audit trail is enabled)
Best Practices
- Principle of least privilege — Default roles should not grant PII/PHI access
- Regular recertification — Include PII/PHI roles in your recertification campaigns
- Column tagging — Ensure all sensitive columns are properly flagged during onboarding
- Separation of PII and PHI — Grant each independently based on the user's actual need
Related Documentation
- SQL Query Editor — How masking applies in queries
- Data Profiling — PII-safe profiling behavior
- Requesting Access — How users request product access
- Permissions — Space-level permission management