Terminating ePHI Access
From HIPAA Safe Issue 16
How thoroughly does your organization manage addressable implementation specification “Termination Procedures” §164.308(a)(3)(ii)(C)? Our experience is that most Covered Entities (CE) have some kind of communications between Human Resources (HR) and Information Services (IS), but that the process leaves some residual risk to the company.
Termination procedures should entail a consistent process where all access is discontinued and affected team members should be aware of the processes outside of their immediate responsibility (e.g. HR should be notified when keys are turned in, etc.). Aside from deleting all network and system login credentials, we recommend terminating physical facility access by collecting physical keys, changing electronic security codes, updating access lists, and collecting identification cards or badges.
One area we often see overlooked is electronic protected health information (ePHI) stored on personal devices, including cell phones and laptops. Even if a company has an administrative policy forbidding ePHI being shared in email, we don’t consider this an adequate security control and assume that ePHI is on a personal device until proven otherwise. The IS team should develop processes to wipe all organization accounts and data
from the device, such that no ePHI leaves with a workforce member.
The termination process applies to anyone with potential access to ePHI. Don’t forget to develop processes to manage contractors, Business Associates (BA) and other vendor access. Communicate regularly with each external company with ePHI access; remove their
inactive employee accounts and ensure that no new employee is using their predecessor’s credentials.
It is very important to develop a repeatable and manageable process to protect ePHI when a workforce member leaves the organization. Unauthorized ePHI access by a former employee has been the cause of many reported breaches. Ensure that your organization
addresses this important HIPAA citation.