Termination Procedures

Episode 12: Know The Rules! Termination Procedures

Your Employee Just Quit!

The first thing you should do is follow your Termination Procedures to ensure you perform the necessary Workforce Security procedures, as defined in §164.308 (a)(3)(ii)(C).

When a workforce member leaves, it is extremely important Covered Entities (CEs) and Business Associates (BAs) of all sizes prevent unauthorized access to PHI by ensuring former workforce member’s access to PHI is effectively terminated.

Don’t forget to ensure any and all company owned mobile devices like laptops and smartphones are returned. Also, if you allow the use of PHI on personally-owned phones or other devices is permitted, be sure those devices are cleared or purged of PHI.

Termination Procedures Should Include:

  1. Procedures to terminate access to PHI should also include termination of physical access to facilities.
  2. Procedures to terminate physical access could include:
    → Changing combination locks and security codes
    → Removing users from access lists, and ensuring the return of keys
    → Tokens
    → Keycards, ID badges
    → And any other physical items that could permit access to secure areas with PHI
  3. Have standard termination procedures of all action items to be completed when an individual leaves, these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to PHI, when their duties change, they quit, or are fired.
  4. Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment.
  5. Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated.
  6. Terminate electronic and physical access as soon as possible.
  7. De-activate or delete user accounts, including disabling or changing user IDs and passwords.
  8. Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are actually being implemented, are effective, and that individuals are not accessing PHI when they shouldn’t or after they leave.
  9. Address physical access and remote access by implementing procedures to:
    → Take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys)
    → Terminate physical access (for example, change combination locks, security codes)
    → Effectively clear or purge PHI from personal devices and terminate access to PHI from such devices if personal devices are permitted to access or store PHI
    → Terminate remote access capabilities
    → Terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services
  10. Change the passwords of any administrative or privileged accounts (like admin or root user) that a former workforce member had access to.

Know The Rules




Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!


One thought on “Episode 12: Know The Rules! Termination Procedures

  1. […] Termination Procedures […]