Share this article on:
The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI.
When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end.
If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of both.
In its November cybersecurity newsletter, OCR has drawn attention to the risk of these types of insider threats and explains the importance of implementing effective identity and access management policies.
When an employee is terminated or quits, access to PHI must be terminated immediately, preferably before the individual has left the building. There are several ways that access to PHI can be terminated, although most commonly this is achieved by deleting user accounts.
While the employee’s account must be terminated, covered entities must also ensure that other accounts that the employee had access to are secured. Passwords for administrative or privileged accounts should also be changed.
In addition to terminating user accounts to prevent unauthorized accessing of electronic protected health information, OCR reminds covered entities and business associates of the need to also terminate physical access to facilities and health records. Keys and keycards must be returned, users should be removed from access lists, security codes should be changed, and ID cards returned.
If an employee has been issued with a laptop, mobile phone, or other electronic device, they must be recovered. If there is a BYOD policy and employees have been allowed to use their own devices to access or store ePHI, personal devices must be purged.
Since employees may have access to multiple accounts, logs should be created whenever access to PHI or systems is granted, privileges are increased, or equipment is issued. The logs can be used to make sure all accounts are secured and all equipment can be retrieved.
OCR suggests developing a set of standard procedures that can be applied and followed whenever an employee or other workforce member quits or is terminated. A checklist is a good way to ensure that nothing is missed.
Identity and access management policies will only be effective if they are followed 100% of the time. To ensure that is the case, covered entities and business associates should consider conducting audits to confirm procedures are being followed. Audits should also include checking user logs to ensure former employees are not continuing to access systems and data after their employment has been terminated.
Further tips to prevent unauthorized accessing of PHI and ePHI by former employees can be found on this link.