(ii) Implementation specifications:
(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.
Tell Me More:
For the termination procedures implementation specification, covered entities and business associates should address implementing procedures for terminating access to electronic PHI when the employment of a workforce member ends or their role changes. Termination procedures are documented instructions, which include appropriate security measures, for the ending access to ePHI in the event of a workforce member’s termination of employment or change of job responsibilities.
Why? Termination procedures are relevant for any covered entity or business associate with employees, because of the risks associated with the potential for unauthorized acts by former employees, such as acts of retribution or use of proprietary information for personal gain.
The purpose of termination procedure documentation under this standard is not to detail when or under which circumstances a colleague should be terminated. This information would more appropriately be part of the entity’s sanction policy. The purpose of termination procedure documentation is to ensure that termination procedures include security-unique actions to be followed, for example, revoking passwords and retrieving keys when a termination or reassignment with different access privileges (for example from clinical to non-clinical, etc) occurs.
The purpose of termination procedures documentation is to ensure that the termination procedures include security-unique actions to be followed, for example, revoking passwords and retrieving keys when a termination occurs.
The final Security Rule is committed to the principle of technology neutrality due to the fact that rapidly changing technology makes it impractical and inappropriate to name a specific technology. Therefore, it is deemed much more appropriate for the final rule to state a general requirement for Workforce Security when necessary and depend on covered entities to specify technical details.
Best Practices, as well as the final Security Rule, include all workforce members despite their location. For instance, telecommuters must not be forgotten in the maintenance of current authorization and clearance lists.
Questions to consider:
- Is there a procedure to ensure all physical items (keys, tokens, or cards) that allow a terminated employee to access a property, building, or equipment are retrieved from that employee, preferably before termination?
- Is there a procedure for changing combinations of locking mechanisms, if appropriate, both on a recurring basis and when personnel knowledgeable of combinations no longer have a need to know or require access to the protected facility or system?
- Have all organizational assets assigned to the employee that have the capability of storing confidential data (e.g., laptop, PDA, flash drives, and cell phones) been retrieved prior to termination?
- Is physical eradication of a person’s access privileges performed in a timely manner?
- Are an individual’s access privileges (including remote access) to the information, services and resources for which they currently have clearance terminated or deleted in a timely manner?
- Is periodic auditing of the effectiveness of the process for disabling access performed?
- Are suspended accounts periodically monitored for activity or attempted activity?
- Are all processes as outlined above formally documented?
- Do additional processes need to be implemented?
- Is there a separate process and procedure for handling disgruntled or volatile terminations? If not, does there need to be?
- Is there a process and procedure for removing contractor/consultant access in a timely manner when their contract expires or is terminated?
A complete set of HIPAA Security Policies and Procedures may be purchased here.