In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, including the healthcare industry.” We can confirm this is true.

The OCR further states that when an employees is terminated or quits, “it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI)…”

The OCR provides “tips” for health care entities to prevent unauthorized access to PHI by former employees. Here they are: 

  1. Develop a checklist of standard procedures to complete when an employee leaves, including notifying the IT department or security personnel of their departure.
  1. Use logs to document when access to PHI is granted or changed.
  1. Terminate electronic and physical access to PHI as soon as possible.
  1. Consider using alerts to notify appropriate departments of actions to take when an account has not been used for a number of days, which will help identify accounts that should be permanently terminated.
  1. De-activate or delete user accounts of former employees, including disabling or changing their user IDs and passwords.
  1. Implement audit and review procedures to catch access to PHI after an employee leaves.
  1. Implement procedures regarding physical and remote access to PHI, including taking back devices, changing security codes for physical and electronic access and clearing PHI from personal devices, and terminate all remote access.
  1. Change the passwords of administrative or privileged accounts that a former employee had access to.

Covered entities and business associates may consider taking the guidance of OCR when it is given as it gives the healthcare industry insight into the issues OCR is looking into and what actions it considers appropriate for covered entities and business associates to take in response to those issues.

To access the OCR newsletter, click here.