8 steps for protecting health data when employees leave

As IT staff and others with access to patient information move on from an organization, it’s critical to ensure that PHI is kept safe.


The HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules, has new guidance to help healthcare organizations, including business associates, secure their data when an employee who has access to health data is terminated or otherwise leaves.

8 steps for protecting health data when employees leave

The HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules, has new guidance to help healthcare organizations, including business associates, secure their data when an employee who has access to health data is terminated or otherwise leaves.



1. Responsibility as soon as the employee leaves

When a workforce member is leaving the organization, it is important to ensure that the worker’s access to protected health information is effectively terminated, according to OCR. Initial steps include making sure mobile phones, laptops and other devices are returned; approved PHI on personal phones or other devices are cleared or purged of electronic protected health information; and shutting down all accounts of the user—including inactive accounts.



2. Time to exit the building

Procedures to terminate access to ePHI should include termination of physical access to facilities. These could include changing combination locks, security codes, removing the person from access lists, asking for the reutn of keys, tokens, keycards, ID badges and any other physical items that could permit access.



3. Standardize procedures

Organizations should have standard procedures for all action items to be completed when an individual leaves and incorporate the items in a checklist. These include notification to the IT department or specific security personnel about when an individual should no longer have access to ePHI when duties change or when the individual quits or is fired.



4. Documentation

Use logs to document whenever access is granted physically or electronically, or privileges increased, and when equipment is given to individuals. These logs can be used to document the termination of worker’s access to information and the return of physical equipment.



5. Monitor account use

Consider having alerts in place to notify a department when an account has not been used for a specified number of days. These alerts may be helpful in identifying staff members’ accounts that should be permanently terminated.



6. Move fast

Terminate electronic and physical access as soon as possible. De-activate or delete user accounts, including disabling or changing user IDs and passwords.



7. Audit procedures

Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures actually being implemented are effective, and that individuals are not accessing ePHI when they shouldn’t or after they leave.



8. Additional steps

Terminate remote access capabilities, access to remote applications, services and websites such as accounts used to access third-party or cloud-based services. Change the passwords of any administrative or privileged accounts (like admin, root or system administrator) to which a former workforce member had access to.



More for you

Loading data for hdm_tax_topic #care-team-experience...