Former Employees With Active System Access Are a Top HIPAA Audit Finding
That employee who left your practice last month — can they still log into your EHR? Your email? Your scheduling system? If you are not completely sure the answer is no, you have a problem.
Former employees retaining system access after departure is one of the most common findings in a HIPAA audit. It is also one of the easiest vulnerabilities to prevent. The HIPAA Security Rule (45 CFR §164.308(a)(3)) requires workforce security procedures, including processes that govern the authorization and termination of access to electronic protected health information (ePHI).
Watch: HIPAA Termination Procedures in 60 Seconds
▶ Watch on YouTube ShortsWhat a Former Employee Can Do With Active Credentials
Consider what a disgruntled former employee could do if their login still works. They could access patient records. They could download sensitive data. They could modify or delete information. And your organization would be liable for every bit of it because you failed to revoke access when they left.
This is not a hypothetical scenario. The HHS Office for Civil Rights has investigated multiple cases where former workforce members accessed patient information after their employment ended.
The Fix: A Written Termination Checklist
The solution is not a mental note. It is not "I will get to it Monday." It is a written, documented checklist that gets executed the same day someone's employment ends.
HIPAA Termination Checklist
- EHR login credentials
- Email account access
- Remote access VPN
- Cloud storage permissions
- Physical keys and key cards
- Badge access to restricted areas
- Building alarm codes
- Scheduling system access
- Billing platform credentials
- Shared drive or file server access
Role Changes Matter Too
Termination is not the only time access should be reviewed. When employees change roles within your practice, their access should change with them. If someone moves from billing to the front desk, they should no longer have billing system access. Access permissions should always match the employee's current job responsibilities.
The HIPAA Security Rule refers to this as the minimum necessary standard for access — employees should only have access to the ePHI they need to perform their specific job function.
Assign Ownership and Keep Records
Someone in your organization should own this process. Make it part of your HR workflow so it happens automatically, not as an afterthought. And keep a record of every access revocation — the date, the systems affected, and who executed the checklist. When an auditor asks, and they will ask, you need to show the paper trail.
FAQs
Q: Does HIPAA require revoking system access when an employee leaves?
Yes. The HIPAA Security Rule requires covered entities to implement procedures for terminating access to ePHI when an employee leaves or changes roles. This falls under the Information Access Management standard (45 CFR §164.312(a)(1)) and the Workforce Security standard (45 CFR §164.308(a)(3)).
Q: How quickly should access be revoked after termination?
Access should be revoked the same day employment ends. Any delay creates a window where former employees can access patient records, download data, or modify information — all of which expose your organization to liability and potential HIPAA violations.
Q: What systems should a HIPAA termination checklist cover?
A HIPAA termination checklist should cover EHR login credentials, email accounts, VPN and remote access, cloud storage permissions, physical keys and badges, building alarm codes, scheduling systems, and any other platform where patient data is accessible.
Q: Do I need to update access when an employee changes roles?
Yes. If an employee moves from billing to the front desk, for example, they should no longer have billing system access. HIPAA requires that access permissions match current job responsibilities. Review and adjust access whenever roles change.
Conclusion
Revoking system access on the day an employee leaves is one of the simplest, lowest-cost safeguards a practice can implement. A written termination checklist, combined with role-based access reviews, protects your patients and your organization from preventable HIPAA violations. One Guy Consulting helps small practices build practical HIPAA compliance programs. Book a HIPAA chat to get started.