Goal: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in the Security Rule.
The purpose of the Termination Procedures is to secure data from those who are no longer authorized access.
Procedure: The Security Manager must ensure that the following steps are completed prior to the release of the employee’s final payment.
- Revoke all of that employee's authorization immediately; get back keys, smart cards, tokens, badges, and the like. Consider changing the locks to the facility and/or computer room.
- Remove all access permissions to critical/sensitive areas, such as telephone closets, computer rooms, and classified areas.
- Delete the employee's account and password from all systems and networks.
- Retrieve all hardware, software, and documentation, including government equipment used at home.
- Save the employee's files in case they're needed for proof in case you discover wrongdoing.
- Replace locks or have combinations changed (if required).
- Perform periodic audits:
- Verify timeliness of prior actions.
- Review all suspended accounts activity and report any activity after termination date.
- Report completion of termination actions to Management.
Note: Timing for these actions may vary depending on termination classification.
- Voluntary Termination: Access may be removed thru a period of weeks as the employee releases responsibility to another person or access is no longer needed.
- Involuntary Termination: Access may be removed prior to notification to the employee of the termination if coordinated with immediate supervisor. All access shall be removed prior to employee leaving the premises.
