Blogs Home
Tuesday, September 28, 2010 11:03 AM

Restricting output by facility, confidential access, and location (Client/Server or MAGIC)

Written by Joe Cocuzzo, Senior VP of Report Writing Services - iatricSystems

Beginning NPR report writers often expect that an NPR report will automatically pay attention to facility, confidential access, and location restrictions. In fact, an NPR report respects none of these user-based restrictions, and will list patients from all facilities, any location, and include confidential patients, regardless of what is set up for the user.

The bad way to deal with this is to create different versions of a report for each facility, for particular locations, or including or excluding confidential patients. This would move security from the user dictionary to menu based control. Also, if you have a “restricted by location” user working on different locations, giving them a report with a hardcoded location selection is not sufficiently flexible.

Let’s look at ways that you can write a generic NPR report and include user dictionary based filtering to handle confidential patients, facility access, and restrictions by location.


When a user runs an NPR report in an application, before the report is executed, the standard “sign on” program for that application opens the database and dictionaries. Often, this will include a prompt to select a facility. After that prompt is answered (or if you have access to just one facility), the selected (or only) facility is stored in a slash variable @.facility.

Rather than create a version of your report for each facility, just add this selection:



If you want to print a confidential message in place of the patient’s name, create a computed field as follows (and do not use the ck.confidential selection).

Confidential Message

Here an entire location is confidential, so the parameter based string prints in place of the name:

Location Confidential

Restriction by Location

MEDITECH allows you to designate a user “restricted by location.” This means that the user can only select patients for locations associated with a particular device (PC). This allows a user to move throughout the hospital, and only access patients for the location they are “on.”

Here I have restricted a user by location in MIS.USER, and I have associated the user’s device “IATRICVM.1” to the location “CCPM”.

Restriction by Location

Terminal: Printer

When you device to a location to the list of Terminals, this creates an entry in the @MIS.LOCN.DICT.terminal.x as follows:


To check location access, and exclude patients if (A) the user is restricted by location and (B) the current device is not associated with the location of the patient, add a computed select to your report as follows:

Check location access

MAGIC example:

MAGIC example

Client Server (C/S) example:

Client/Server (C/S) example

Then, using the same approach as in the MAGIC version, you can write the computed field as follows:

Computed field

Now the restricted user only gets the location(s) where he is working:

Restricted user location

If your report prompts for location, you might want to add some error checking to the location selection instead:

Here we add an FCL to a location selection prompt with the EDIT ELEMENTS option:


For the C/S version, because of the problem with using the @.machine field in a FCL (as in a computed field) we move the checking program to a macro:


The code in the C/S macro:

C/S Macro

For Location

Restricted by Location – LOOKUP (MAGIC only)

This tip is MAGIC only because the default behavior of patient lookups in C/S apparently respects the location restriction.

Finally, you might be more concerned about adding a location restriction to a report that allows a user to identify a particular patient than you would be about a report that lists all patients for one or more locations. One reason to impose a location restriction on users is to reduce the chance of misidentification, and a report that prints for a single patient run for the wrong patient is probably a more significant error than a report that happens to include “extra” locations. You could just add the location checking computed select field to cause a misidentification to return “no records found,” but it is more elegant to force the lookup itself to be restricted.

Turning this:

Into this:

The (MAGIC) or (C/S) program checks a /LOC.RESTRICT flag to determine whether to provide a restricted by location lookup.

If we create our own program in a report macro and call it with an ID= attribute, we can provide our report with a restricted lookup.

You can find additional NPR Tips on our website at, as well as information about our on-site NPR Report Writer Training and NPR Report Writing Services.

Upcoming NPR Training Opportunities:

We are pleased to offer NPR Report Writer training sessions at host sites this fall. Details and a course description are available on our website at http//

Location Level Instructor Date Cost
Children's Specialized Hospital
New Brunswick, NJ
Beginner/Intermediate Joe Cocuzzo Oct. 20-22, 2010 $750
Valley Presbyterian Hospital
Van Nuys, CA
Beginner/Intermediate Richard Serrano Nov. 17-19, 2010 $750

To subscribe for email notifications for new classes, please visit

For more information or to reserve a seat, please contact our NPR report writing team at

(This originally appeared in the September 2010 issue of Iatric Systems' Updates! newsletter.)