Case Study · Concept & Design Strategy

MediTag 2.0 — consent-first, role-based access in healthcare (speculative)

A modern pattern for fast, safe access to the right patient data at the right moment — scoped by role, time-boxed, and fully auditable. Public-safe overview (no confidential details).

Role: Concept designer Focus: consent UX · service design · safety Status: exploration

Overview — What is MediTag?

MediTag is a tap-to-act pattern for hospitals. A short-range NFC wristband or ID lets authorised staff start the right task instantly — without hunting records or typing long passwords.

How it works — in plain English

  • Close range by design (a deliberate tap). NFC only works within a few centimetres.
  • The tag itself holds no medical data — it carries a secure reference recognised by the hospital system.
  • On tap, the system issues a time-limited, role-scoped access token (for example, 30–120 minutes).
  • Every action creates an audit entry. Emergency overrides are documented, require a reason and auto-expire.

What a tap can do

  • Open the right patient record at the right point in the workflow
  • Confirm a medication match before administration (with a documented override)
  • Unlock authorised doors or cabinets (e.g., pharmacy, controlled stores)
  • Speed up check-in/out and other routine tasks
  • Optionally initiate simple payments where appropriate

Benefits we aim to measure in pilots

  • Time-to-access: scan → consent → view in under 30 seconds on ward
  • Medication safety: patient-tag match required before administration; override rate and reasons reviewed
  • Fewer missed appointments: clearer check-in/out and reminders

Privacy & security

  • Data minimisation: tags hold only a random ID; clinical data stays in the hospital system
  • Challenge–response: tokens are short-lived and specific to role and task
  • Anti-clone posture: rate-limit taps, detect duplicates, require step-up auth for sensitive scopes
  • Lost or stolen: tags can be revoked immediately; staff devices use passcode/biometric and remote-wipe

Offline & resilience

If connectivity drops, the app can cache the last valid consent until a stated time and queue audit events to sync later. Clear banners make status obvious and fallback steps are documented.

Problem & why now

Hospitals juggle speed, privacy and safety. Access is often all-or-nothing, consent can be invisible, and staff lose time to logins and lookups. We explore a minimal, tap-to-act model that reduces friction while strengthening consent and auditability.

Concept (at a glance)

  • Tap-to-start: a short-range NFC wristband/ID triggers the right flow on staff devices.
  • Role-scoped access: what you see/do matches your role, and is time-boxed.
  • Audit & override: every action creates a receipt; emergencies have a documented break-glass path with auto-expiry.
  • Beyond records: the same tap can handle doors, meds, check-in, and simple payments where appropriate.

How it works (journey)

Scan — staff taps MediTag; patient is identified safely.
Request — staff selects role & scope; shows purpose and duration.
Consent — patient approves; badge shows remaining time.
Act — staff completes task (records, meds, access, etc.).
Audit — a human-readable log records who/what/when/why.
Override — emergencies require reason and expire quickly.

Key screens (spec)

A. Scan & identify

Partial identity until consent; clear “Confirm patient” affordance.

B. Consent & role

Request shows role, scope, time window, and purpose. Approve/Decline.

C. Emergency override

Reason required; automatic notifications; tight auto-expiry (e.g., 30 mins).

D. Audit trail

Readable log with export; shows role, scope, timestamp, and basis.

Risks & mitigations

Safety & duty of care

Clear scopes, opt-outs, escalation guidance; override is rare and time-limited.

Privacy & security

Encrypt data; minimise on-device storage; strict role-based access; immediate tag revoke if lost.

Change impact

Hands-on training; staggered rollout; fallback paths for downtime.

MVP experiments

  • Time-to-access: scan → consent → view in < 30 seconds on ward
  • Comprehension: do patients/staff understand the role + time model?
  • Process fit: validate doors/meds/check-in flows in controlled pilots

What I did

  • Framed problem, consent model and role-scoped flow
  • Drafted UI, service blueprint, risk analysis
  • Planned MVP experiments and measures

What’s next

  • Export 4 UI screens and a one-page blueprint; embed above
  • Run concierge pilot with frontline roles; measure time-to-access & clarity
  • Iterate consent copy, expiry defaults and audit views
Get in touch 1-page sampler (PDF)

Public-safe: this page intentionally omits confidential data, partner details and implementation specifics; available privately on request.

UI Copy · MediTag 2.0

Key screens — exact microcopy

A) Scan & Identify

Primary layout

  • Title: Confirm patient
  • Patient preview (masked): {PatientInitial}. {PatientLastName} · DOB {DOBDay} {DOBMonthShort} (partial) · Ward {Ward} · Bed {Bed}
  • Helper line: Please confirm with the patient or check the wristband digits.
  • Chip (ID fragment): Tag • ****{Last4OfTag}
  • Primary button: Confirm with patient
  • Secondary link: Not my patient
  • Tertiary link: Need emergency access?

Full details are shown only after consent or emergency override.

Short variant

Line: {PatientInitial}. {PatientLastName} · Ward {Ward} · Bed {Bed}Buttons: Confirm · Not mine · Emergency

ARIA

  • aria-label: Confirm patient — masked details
  • aria-description: Only partial identity shown until consent or override

Errors / edge

  • Tag not recognised: Couldn’t read this tag. Try again or use patient search.
  • Revoked tag: This tag has been revoked. Issue a new wristband and re-scan.
  • Multiple matches: Multiple matches found — confirm with patient and select from list.

C) Emergency Override (Break glass)

Primary layout

  • Title: Emergency override
  • Warning: This action is logged and reviewed. Use only when consent is impractical.
  • Reason (required): Tell us why access is needed now… e.g., Patient unconscious / time-critical intervention
  • Role & scope: Your role: {RequesterRole} • Scope: {ScopeShort}
  • Expiry: Expires in {OverrideDuration} (default 30 minutes)
  • Primary (destructive): Proceed with override
  • Secondary: Cancel

After activation (staff UI)

Banner: Override active · {TimeLeft}Reason: {Reason}Actions: End now · Add note

Short variant

Lines: Logged • Reviewed • Auto-expires {OverrideDuration}Buttons: Proceed · Cancel

ARIA

  • aria-label: Emergency override
  • aria-description: Logged access with reason, limited time, and audit

Errors / edge

  • No reason entered: Please add a short reason for the override.
  • Override limit reached: Maximum override window reached. Seek senior authorisation.

D) Audit Trail

Primary layout

  • Title: Access log
  • Filters: All • Consent • Override • Last 24h • Last 7d
  • Row: {DateShort} {Time24}{RequesterName} ({RequesterRole}) viewed {ScopeShort} via {Basis} ({Duration})
  • Details (expand): Purpose: {PurposeShort} • Location: {LocationShort} • Consent ID: {ConsentIdShort} • Tag: ****{Last4OfTag}
  • CTAs: Export PDF • Share with patient • Report an issue

Empty state

No access recorded in this period.

ARIA

  • role="table" • aria-label="Access log"
  • aria-description="Chronological list of access events with basis and scope"

Placeholder glossary

  • {PatientInitial} first initial only (e.g., M.)
  • {PatientLastName} surname (e.g., Ellis)
  • {DOBDay} / {DOBMonthShort} day / abbreviated month (e.g., 14 / Apr)
  • {Ward} / {Bed} ward / bed (e.g., B3 / 12)
  • {Last4OfTag} last 4 characters of tag UID
  • {RequesterName} e.g., Dr S Khan
  • {RequesterRole} Doctor / Nurse / Porter / Pharmacist
  • {ScopeShort} e.g., Observations, Meds & Allergies
  • {Duration} e.g., 2 hours / 30 minutes
  • {PurposeShort} e.g., Ward round / Medication administration / Transfer
  • {TimeLeft} time remaining (e.g., 1h 47m)
  • {OverrideDuration} default 30 minutes
  • {Reason} free-text reason captured at override
  • {Basis} Consent / Override
  • {LocationShort} e.g., Ward B3
  • {ConsentIdShort} short token (e.g., CN-9K3X)
  • {DateShort} / {Time24} e.g., 12 Oct / 09:42
  • {DateTimeShort} e.g., 12 Oct 09:42