Identity and Access Management Policies That Govern Terminated Employees


The HIPAA Security Rule calls for the efficient management of information access. Personnel who are given access to protected health information (PHI) should have appropriate authorization. But what if employees quit their job? The healthcare organization must ensure that the privileges to access PHI are terminated right away. If procedures to stop access to PHI are not carried out, a data breach can very easily occur. There are a number of cases that occur each year linked to the inability of organizations to end PHI access quickly. Previous employees remotely sign in to the organization’s systems even when they’re not authorized any more.

If HIPAA-covered entities and business associates have no efficient identity and access management policies and regulations, there exists a substantial risk of PHI being viewed or stolen by previous personnel after employment has ended. Data may be duplicated and given to another employer, or utilized for malicious intentions. The Department of Health and Human Services’ Office for Civil Rights’ breach portal has published numerous examples of both.

OCR’s November cybersecurity newsletter pointed out the probability of insider threats as a result of failure to execute effective identity and access management guidelines. What are important reminders for effective identity and access management to avoid insider data breaches?

When a staff is terminated from work or quits, access to PHI should be cut off promptly, ideally before the person has gone out of the building. There are a number of ways to terminate access to PHI, though most often this is accomplished by removing user accounts.

Besides deleting user accounts to avoid unauthorized access of ePHI, OCR is reminding covered entities and business associates the importance of terminating physical access to facilities and medical records. Keys and keycards need to be turned in, users ought to be taken off access lists, security codes must be altered, and ID cards returned.

In case a laptop computer, mobile phone or any electronic gadget was released to the staff, make sure to retrieve them. If a BOYD policy permitted employees to utilize their own device to gain access to or maintain ePHI, do not forget to clear up personal gadgets. Logs are essential when staff access PHI or systems, request the use of equipment or obtains privileges. The logs can help you be certain that all accounts are safe and equipment is recovered.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Having a standard process to follow any time an employee resigns ought to be set up.   Make a checklist so that you can ensure you don’t miss out on anything. Identity and access management guidelines should be observed 100% of the time to be beneficial. Performing audits help to validate that the policies are being enforced. Check user logs to know if past employees continue to access systems and data after their end of contract.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: