Breaking Compliance News Blog

HIPAA Alert: How many former employees can access your PHI?

Posted by Margaret Scavotto, JD, CHC on 11/17/20 10:00 AM

Find me on:


Hopefully you can answer this question, with 100% certainty, with a single word: Zero.

But that’s often not the case.

Recently, the City of New Haven, CT, entered a $202,400 settlement with the OCR to resolve potential HIPAA Privacy and Security Rule violations.

The New Haven Health Department filed a breach report after “a former employee returned…eight days after being terminated, logged into her old computer with her still active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted diseases test results onto a USB drive.” This former employee also gave her user name and password to an intern.

MPA sees this scenario frequently – an employee leaves, access is not terminated in a timely manner, and the former employee continues to log in (typically out of curiosity).

As expected, the breach report prompted the OCR to investigate New Haven Health Department’s entire HIPAA compliance program (not just the issue reported). The OCR found that New Haven did not:

  • Conduct an enterprise-wide security risk analysis
  • Implement termination procedures
  • Implement access controls such as unique user identification
  • Implement HIPAA Privacy policies and procedures

What you can do:

  • Review your HIPAA Security Risk Analysis. Are termination procedures and access controls addressed? If this is a risk for you, identify steps you can take to mitigate it.
  • Conduct an audit. Select a few former employees and determine if their credentials were terminated within the proper timeframe.
  • Run reports. Using your EMR, run access/user reports. Is any user activity suspicious?
  • Avoid gaps. Who terminates access? What is your backup plan for days this person is out sick, on vacation, or taking FMLA? How will you ensure user access terminations are completed if the responsible person leaves the organization?
  • Coordinate. Termination of credentials must be coordinated with human resources procedures. Separations must be immediately communicated with the person or department that is responsible for credentials. This requires input from both administration/management, human resources and IT to determine the correct procedure to ensure timely removal of credentials.

MPA can help

MPA makes HIPAA easier with HIPAA ToolkitsHIPAA Training, and HIPAA awareness flyers.

Margaret Signature 2020


Topics: HIPAA, breach notification

    Privacy Policy           Terms of Use