Thanks for this, really great to get that kind of feedback.
I think the permissions changes will indeed be straightforward enough.
Regarding the auditing, would every document's view be recorded then?
As you may have seen, from the backend's perspective there is no difference between viewing and downloading a document.
Of course you may decide to only audit requests for certain views (in the complex data sense of the term 'view' here). You could for example bypass auditing when thumbnails are fetched, which typically would make sense for PDF files (but not necessarily for images or other content types where the thumbnail itself might already represent sensitive information).
I guess the same remark applies to when to apply watermarks.
Btw that's quite an interesting feature idea! I guess it would require the development of a third-party library for watermarking files based on their MIME type. Again you don't mention images, will there never be a case where sensitive data will be uploaded as an image?
Also, surely PIH must have developed some sort of patient summary reports? And if yes I would assume that those reports could be downloaded. And again if yes, does watermarking not apply there too?