When an employee of a medical practice or facility quits or is terminated, it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) offers the following tips to prevent unauthorized access to PHI by former workplace members:
- Have standard procedures of all action items to be completed when an individual leaves – these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to ePHI, when his duties change, he quits, or is fired.
- Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment.
- Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated.
- Terminate electronic and physical access as soon as possible.
- De-activate or delete user accounts, including disabling or changing user IDs and passwords.
- Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are actually being implemented, are effective, and that individuals are not accessing ePHI when they shouldn’t or after they leave.
- Address physical access and remote access by implementing procedures to:
- take back all devices and items permitting access to facilities (like laptops, smart phones, removable media, ID badges, keys);
- terminate physical access (for example, change combination locks, security codes);
- effectively clear or purge ePHI from personal devices and terminate access to ePHI from such devices if personal devices are permitted to access or store ePHI;
- terminate remote access capabilities;
- terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services.
- Change the passwords of any administrative or privileged accounts (like admin, root, sa) that a former workforce member had access to.
For more information from the OCR on safeguarding PHI from former employees, please click here.