There have been several instances reported recently in which a terminated employee has violated HIPAA by accessing patient information after they have been fired. This can cause major implications for healthcare organizations, especially if the disgruntled employee exfiltrates patient data to sell on the dark web. To protect your organization from employee data theft, tips to prevent a terminated employee from violating HIPAA are discussed.

Prevent a Terminated Employee From Violating HIPAA
  1. Create and follow an employee offboarding process

  2. Create and adhere to an IT asset management program

  3. Track data access 

  4. Block data access points

  5. Use unique login credentials for each employee

  6. Conduct exit interviews with employees

  7. Notify IT departments 

Create and follow an employee offboarding process

To ensure that all data access is revoked in a timely manner, it is important to have a thorough offboarding process. This can be done by implementing a checklist that includes all systems and devices that have access to sensitive information. The checklist should also include who is responsible for revoking terminated employee data access.

Create and adhere to an IT asset management program

Keeping a device asset list, including which employees have access to what device and where the device is located, ensures that all devices are returned in the event that an employee leaves the company. This is particularly important in today’s remote work environment as most employees have multiple company devices at their home offices. Your device asset list should include ID cards, portable storage devices, laptops, computers, software licenses, accounts, and keys. 

Additionally, with the use of cloud software, employees are able to access company data from any device as long as they have login credentials. To reduce the risk of human error, and ensure all access to cloud software is revoked, your organization should implement single sign-on tools. This way, when an employee’s login credentials are revoked, you only have to do so once, instead of manually revoking access from each individual software service.

Let’s Simplify Compliance

Do you need help with employee HIPAA compliance? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Track data access

Tracking access to healthcare data is not only a requirement of HIPAA, it also enables you to quickly detect both insider and outsider breaches. A recent study determined that the most critical time to pay attention to is within the last 90 days of an employee’s employment, determining that 70% of employee data theft occurs within this time period. Areas in which it is most critical to monitor include USB file transfers, access logs for servers, printer logs, email attachments, web browsing activity, and bandwidth usage.

Block data access points

To prevent a terminated employee from violating HIPAA in their last days of employment, it is critical to block access to cloud data. There may be instances in which the employee requires access, however, their activity should be closely monitored.

Use unique login credentials for each employee

Using unique login credentials for access to sensitive data is also