diff --git a/tmh_registry/registry/tests/api/viewsets/test_hospitals.py b/tmh_registry/registry/tests/api/viewsets/test_hospitals.py
index cfcbe04..a38f76e 100644
--- a/tmh_registry/registry/tests/api/viewsets/test_hospitals.py
+++ b/tmh_registry/registry/tests/api/viewsets/test_hospitals.py
@@ -53,7 +53,7 @@ def test_get_hospitals_list_from_non_admin_user(self):
         self.client.credentials(HTTP_AUTHORIZATION="Token " + self.token.key)
         response = self.client.get("/api/v1/hospitals/", format="json")
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_hospitals_list_from_non_medical_personnel_user(self):
         self.non_mp_user = UserFactory()
@@ -95,7 +95,7 @@ def test_get_hospitals_detail_from_non_admin_user(self):
             f"/api/v1/hospitals/{self.hospital.id}/", format="json"
         )
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_hospitals_detail_from_non_medical_personnel_user(self):
         self.non_mp_user = UserFactory()
diff --git a/tmh_registry/registry/tests/api/viewsets/test_patients.py b/tmh_registry/registry/tests/api/viewsets/test_patients.py
index e932ee9..0927e0e 100644
--- a/tmh_registry/registry/tests/api/viewsets/test_patients.py
+++ b/tmh_registry/registry/tests/api/viewsets/test_patients.py
@@ -190,7 +190,7 @@ def test_get_patients_list_from_non_admin_user(self):
         client.credentials(HTTP_AUTHORIZATION="Token " + non_admin_token.key)
         response = client.get("/api/v1/patients/", format="json")
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_patients_list_from_non_medical_personnel_user(self):
         non_mp_user = UserFactory()
@@ -256,7 +256,7 @@ def test_get_patients_detail_from_non_admin_user(self):
             f"/api/v1/patients/{self.patient.id}/", format="json"
         )
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_patients_detail_from_non_medical_personnel_user(self):
         non_mp_user = UserFactory()
diff --git a/tmh_registry/users/api/permissions.py b/tmh_registry/users/api/permissions.py
index 3568509..8ecac95 100644
--- a/tmh_registry/users/api/permissions.py
+++ b/tmh_registry/users/api/permissions.py
@@ -10,8 +10,10 @@ class IsMedicalPersonnel(permissions.BasePermission):
 
     def has_permission(self, request, view):
         try:
-            return request.user.medical_personnel.user.is_staff
+            request.user.medical_personnel
         except MedicalPersonnel.DoesNotExist:
             return False
         except builtins.Exception:
             return False
+
+        return True