An information security policy says who may access what information; access includes such activities as reading, writing, appending, and deleting data. It is driven by a threat model and in turn drives the more detailed aspects of system design. To be effective, it needs to be written at the right level of abstraction; it must not encumber the reader with unnecessary details of specific equipment. It must tackle the important problems and ignore the distractions.
A potential distraction is the precise meaning of terms such as `clinician', `patient' and `system'. One could dwell at length on what might happen when the clinician delegates a task to a student, or when the patient is a minor or deceased. These questions can be difficult but are, for our purposes, unimportant; so we shall clarify them here rather than in the body of the policy.