8 steps for protecting health data when employees leave

The HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules, has new guidance to help healthcare organizations, including business associates, secure their data when an employee who has access to health data is terminated or otherwise leaves.

HDM-120717-PHI.jpg
8 steps for protecting health data when employees leave
The HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules, has new guidance to help healthcare organizations, including business associates, secure their data when an employee who has access to health data is terminated or otherwise leaves.
1. Termination AdobeStock_62062588.jpeg
1. Responsibility as soon as the employee leaves
When a workforce member is leaving the organization, it is important to ensure that the worker’s access to protected health information is effectively terminated, according to OCR. Initial steps include making sure mobile phones, laptops and other devices are returned; approved PHI on personal phones or other devices are cleared or purged of electronic protected health information; and shutting down all accounts of the user—including inactive accounts.
2. TerminationAdobeStock_103422362.jpeg
2. Time to exit the building
Procedures to terminate access to ePHI should include termination of physical access to facilities. These could include changing combination locks, security codes, removing the person from access lists, asking for the reutn of keys, tokens, keycards, ID badges and any other physical items that could permit access.
3. Termination AdobeStock_108907534.jpeg
3. Standardize procedures
Organizations should have standard procedures for all action items to be completed when an individual leaves and incorporate the items in a checklist. These include notification to the IT department or specific security personnel about when an individual should no longer have access to ePHI when duties change or when the individual quits or is fired.
4. Termination AdobeStock_67330265.jpeg
4. Documentation
Use logs to document whenever access is granted physically or electronically, or privileges increased, and when equipment is given to individuals. These logs can be used to document the termination of worker’s access to information and the return of physical equipment.
5. Termination AdobeStock_87174149.jpeg
5. Monitor account use
Consider having alerts in place to notify a department when an account has not been used for a specified number of days. These alerts may be helpful in identifying staff members’ accounts that should be permanently terminated.
6. Termination AdobeStock_125863588.jpeg
6. Move fast
Terminate electronic and physical access as soon as possible. De-activate or delete user accounts, including disabling or changing user IDs and passwords.
7. Termination AdobeStock_63720978.jpeg
7. Audit procedures
Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures actually being implemented are effective, and that individuals are not accessing ePHI when they shouldn’t or after they leave.
8.AdobeStock_135328625.jpeg
8. Additional steps
Terminate remote access capabilities, access to remote applications, services and websites such as accounts used to access third-party or cloud-based services. Change the passwords of any administrative or privileged accounts (like admin, root or system administrator) to which a former workforce member had access to.