Without procedures and practices to address when employees leave your organization, employee turnover in healthcare can pose a risk to your HIPAA compliance.
HIPAA Risks from Employee Turnover in Healthcare – Access to Healthcare Data
You may not know it, but HIPAA Rules and Regulations address employees leaving your employment. Specifically, the HIPAA Security Rule demands “formal, documented instructions for ending employment and closing off internal and external access.”
Because of how the law was written, you won’t find precise do’s and don’ts to follow when facing employee separation or termination. But because one of HIPAA’s primary points of emphasis is controlling the access to and privacy of patients’ protected health information (PHI), here are a few wise actions that you should include when offboarding employees:
- Revoke employee access to any systems containing ePHI immediately upon separation, including email, data storage, Electronic Medical Record systems, and Human Resources, including remote access.
- Retrieve any devices or physical records containing PHI or ePHI in the employee’s possession and require them to sign affirmations that they no longer possess any PHI.
- Remove all employee access to the physical site by retrieving keys and keycards or changing security codes.
HIPAA Risks from Employee Turnover in Healthcare – HIPAA Termination Procedures (for cause)
Firing an employee “for cause” can be an uncomfortable and involved process. States and municipalities can have wildly different standards required to justify a termination for cause.
Your organizational HIPAA Policies and Procedures should define expected behaviors and include corrective actions up to and including termination.
While you’re negotiating the legalities of termination from an employment law perspective, remember that HIPAA requires you to protect PHI throughout the process. It may be necessary to follow some of the suggestions listed in the previous while an employee is still technically employed.
If there are suspicions of wrongdoing related to PHI, it would be wise to flag all of the terminated employee’s system activity to look for any irregularities.
Final Thoughts: HIPAA Risks from Employee Turnover in Healthcare – Keep those Records
When employees leave your company, keep their HIPAA training records for at least six years following their departure. These records may be needed to prove appropriate training and affirmations in the event of an audit or breach.
If you need help developing a comprehensive HIPAA compliance strategy, including employee training and record-keeping, Compliancy Group is here to help. We’ve been simplifying HIPAA for 18 years, assisting organizations to fully satisfy the requirements of the law while reducing time and effort by as much as 80 percent.
Let us help you the way we have thousands of other medical practices and business associates.