Rather than trying to deal with objects having multiple access control lists, we will assume that there are multiple records. A patient might for example have:
This is logically equivalent to having a record with three different fields each with its own access control list. However is much simpler for us to deal with.
So the clinician may open a new record when an existing patient wishes to discuss something highly sensitive, or when a new patient registers with her, or when a patient is referred from elsewhere. The access control list on a new record is as follows:
Principle 2: A clinician may open a record with herself and the patient on the access control list. Where a patient has been referred, she may open a record with herself, the patient and the referring clinician(s) on the access control list.