Q&A: Making sure former employees cannot access ePHI
Q: What’s a best practice for ensuring former employees lose all access to our systems that touch ePHI?
A: The first thing you need to know is where your PHI is. If you don’t know where PHI is stored and processed, you can’t ensure that employee access is terminated when an employee departs. If you know where your PHI is, you are better positioned to have an accurate inventory of what systems need to be checked to make sure access is turned off.
It is important to, as much as feasible, implement role-based access control. If you know what an employee in a certain position can access, you’re not necessarily hunting around to find that information.
You do need to track when employees are granted additional access for special projects, to address additional temporary duties, or to cover the work of other employees when they are away. That access should not wait until the employee terminates. The additional access should be terminated when the need for additional access goes away.
You can also use single sign-on (SSO) solutions or even Active Directory (AD) to control access to PHI. That way if all or most access to PHI can only be accessed through an SSO solution or AD, if you disable SSO or AD access you’ve terminated most or all access to PHI. There are a number of solid SSO solutions on the market, and AD has been around for quite a number of years.
Something to keep in mind is you can implement the best solutions out there, but if you don’t have solid termination procedures in place, access still may not be terminated.
As an example, if it takes human resources two weeks to notify your IT shop that an employee has terminated, the terminated employee may well have access to PHI for those two weeks. If the employee is disgruntled, this could lead to breaches of PHI.
Editor’s note: Chris Apgar, CISSP, is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.