Administrators can restrict access using HCPatientListSecurity custom setting.

When a user's field-level security restricts access to a field used as a display column, the column does not appear in the list.

Administrators can create restriction rules to offset a private organization-wide default setting.

Users with profile or permission sets that restrict access to an object cannot create a list using that object.

Administrators can restrict access to patient or member lists using standard Salesforce sharing settings on the list.