Blog Home Page Next article:

HIPAA Understood: Termination Procedures

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.

Termination is not something most people enjoy but unfortunately, it’s unavoidable. Whether an employee leaves voluntarily or involuntarily it is something that occurs and should be handled properly to avoid damages to the organization. This week we will discuss terminations as they pertain to the HIPAA rule:

“164.308(a)(3)(ii)(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.”

The focus here is to remove access from those individuals who no longer require access or who have had their access revoked for any reason. To begin, we need to develop procedures which are used to terminate the access. These procedures should include the technical aspects of access termination as well as all personnel involved in the process and timelines associated with the termination.  This is a simple rule, however the problem most organizations run into is separating the voluntary and non-voluntary terminations within the procedures.

I recommend that non-voluntary terminations are handled differently than voluntary separations. Ideally, access will be revoked, for non-voluntary terminations, while the employee is being terminated and they will not receive access to their systems after being terminated. Now, not all terminations will be the same but there will be times when an employee becomes hostile once terminated and may pose a threat to the confidentiality, availability, and/or integrity of your PHI/ePHI. If this is the case you should have procedures in place to handle that type of situation.