Every covered entity and business associate, whether large or small, struggles with prompt termination of user access. Whether it be interns, temporary or permanent employees it is a common struggle to have HR communicate with IT that someone has left the organization or no longer need access to PHI. This poses a high risk by having individuals who may no longer be with the organization still having access to PHI; some of whom may be disgruntled. Here are a few tips to help mitigate the risk.
Establish a consistent process for which IT is notified by HR when anyone leaves the organizations or changes job functions to no longer need access to PHI. HR likely has a process it goes through when an employee leaves. Work to include communicating to IT who is leaving and when. Often times this can be done simply by submitting a ticket to whomever provisions access to systems with PHI.
For temporary users (i.e. interns, volunteers, students, auditors, temporary staff), have HR provide you with a date when the user will be leaving. If they don’t know the exact date, have them provide a “safe” date in which the user will no longer need access. While not ideal, it will reduce the risk of having access for terminated users for an extended amount of time.
Review access logs periodically to purge users who are no longer with the organization or have not logged in for an extended period of time (i.e. 3 months). This can be a significant amount of data to review for larger organizations with many users, therefore a log review schedule should be implemented (i.e. once a month) to remove inactive users.
The most effective method is working closely with HR to know immediately when users leave. However, reviewing logs and establishing access termination dates can also help in mitigating the overall risk.