One side effect of the COVID-19 pandemic is staffing shortages in medical practices and healthcare facilities. While telemedicine made access to care easier, the healthcare industry is largely reliant on in-person staff. Many healthcare workers were forced to decide whether they could return to the workforce, especially when they had dependent children or elderly parents at home.
Regardless of whether an employee of a medical practice or facility quits or is terminated, it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI). Last year, one city health department agreed to pay over $200,000 in fines to the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) after the health department failed to terminate a former employee’s access. The employee was able to access her old laptop with her still-active username and password, and downloaded PHI that included patient names, addresses, dates of birth and other PHI eight days after being terminated.
HHS offers the following tips to prevent unauthorized access to PHI by former workplace members:
- Have standard procedures of all action items to be completed when an individual leaves – these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to PHI, when their duties change, they quit, or are fired.
- Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment.
- Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may help identify accounts that should be permanently terminated.
- Terminate electronic and physical access as soon as possible.
- Deactivate or delete user accounts, including disabling or changing user IDs and passwords.
- Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are actually being implemented, are effective, and that individuals are not accessing PHI when they shouldn’t or after they leave.
- Address physical access and remote access by implementing procedures to:
- Take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys)
- Terminate physical access (for example, change combination locks, security codes)
- Effectively clear or purge PHI from personal devices and terminate access to PHI from such devices if personal devices are permitted to access or store PHI
- Terminate remote access capabilities
- Terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services
- Change the passwords of any administrative or privileged accounts (like admin, root, sa) that a former workforce member had access to.
For more questions, contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211.