Terminating staff access is no longer a simple process; it requires a coordinated effort between managers, staff, and HR to ensure that all access that should be terminated is, indeed, properly terminated. Mishandling staff access can lead to privacy violations, enforcement investigations, and financial penalties. The time to get your access control procedures under control is now.
HIPAA regulations require that organizations have strict controls on access to electronic Protected Health Information to ensure that only authorized persons have access, and to ensure that access is terminated when no longer needed. The HIPAA Security Rule has Physical, Technical, and Administrative safeguard requirements that call for having the technology and processes in place to properly establish access and maintain it.
HR processes usually initiate and document the initial provision of access to systems within the office, such as networks, e-mail, servers, and the EHR. These systems are also the easiest to terminate access to, since they are controlled by the organization, and in general, a reverse process can be used for disabling access for termination.
Other entities may maintain other systems, such as state Web sites for Medicaid, or insurer Web sites, that your staff needs to access. Often, access for these sites is arranged by the manager or program director of the staff person, but there may not be a good process for making sure this access is turned off upon a termination of employment. Depending on the system, access might still be possible from another workstation if the ID and password for the terminated staff are not blocked.
These external services, and other internal services that may not be managed centrally within your organization, are at risk for access being left open if a plan is not developed for managing that access.
The enabling of access must be tracked in a database (or similar tool) so that it is possible to always know who has access to which sites, and which sites need to be contacted to terminate access upon a staff termination. The use of this tool must be integrated into the actions of managers and HR alike so that they can work together to make sure unnecessary access is disabled, and privacy and security violations are avoided.
Overall, access management and HR processes need to move into the 21st Century, so that access management methods are relevant and effective as security tools in the modern age of communication.