Your Employee Just Quit!
You receive a call from the front desk explaining that one of your workforce members just quit. What do you do? The first thing you do, pull out your termination standard operating procedure (SOP). The SOP should include the necessary Workforce Security Termination Procedures for you to follow.
What Does the HIPAA Security Rule Say?
The Termination procedures is an addressable Administrative Safeguard, as defined below §164.308 (a)(3)(ii)(C).
Implement procedures for terminating access to electronic protected health information (PHI) when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.
In case you did not already know over half of the HIPAA Security Rule is comprised Administrative Safeguards, they are defined as:
Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
For more details on Administrative Safeguards see our article on where I breakdown for you.
Why Do Termination Procedures Matter?
When a workforce member leaves, it is extremely important for regulated entities of all sizes prevent unauthorized access to PHI. This is accomplished by terminating the former workforce member’s access to PHI.
Don’t forget to ensure all company owned mobile devices like laptops and smartphones are returned. Also, if you allow the use of PHI on personally owned phones or other devices is permitted, be sure those devices are cleared or purged of electronic PHI.
Termination Procedures should include:
- Procedures to terminate access to PHI should also include termination of physical access to facilities.
- Procedures to terminate physical access could include:
→ Changing combination locks and security codes
→ Removing users from access lists, and ensuring the return of keys
→ Keycards, ID badges
→ And any other physical items that could permit access to secure areas with PHI
- Have standard termination procedures of all action items to be completed when an individual leaves, these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to PHI, when their duties change, they quit, or are fired.
- Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment.
- Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated.
- Terminate electronic and physical access as soon as possible.
- De-activate or delete user accounts, including disabling or changing user IDs and
- Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are being implemented, are effective, and that individuals are not accessing PHI when they shouldn’t or after they leave.
- Address physical access and remote access by implementing procedures to:
→ Take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys)
→ Terminate physical access (for example, change combination locks, security codes)
→ Effectively clear or purge PHI from personal devices and terminate access to PHI from such devices if personal devices are permitted to access or store PHI
→ Terminate remote access capabilities
→ Terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services
- Change the passwords of any administrative or privileged accounts (like admin or root user) that a former workforce member had access to.
Something to Ponder ...
Ask yourself the following two questions:
- Does your organization have current termination policies and procedures?
- Does your organization’s policies and procedures include timely communication of termination actions to ensure that the termination procedures are appropriately followed?