Every business owner or manager knows that hiring and firing employees comes with the territory. Termination of employee is always a traumatic process, especially in a small practice, where everyone knows each other. Emotions run high and depending on how the news is received, the whole experience can range from uncomfortable yet civil to outright antagonistic. One doesn’t know how a terminated employee will respond to the news. Ensuring the security and integrity of protected health information (PHI) is critical in such circumstances. Technology in and of itself is not the answer. It has to be supported with proper policies and procedures that work in concert to keep patient data secure. Having well documented policies and procedures for employee termination (an employee exit strategy) is the first step. Training your employees to comply with the policy and enforcing it strictly, will help protect PHI during such transitional periods.
Steps need to be taken immediately after an employee termination, some even before notifying the affected individual. If the employee chooses to leave the practice voluntarily, execution of steps through a well outlined “employee exit strategy” will ensure a smooth departure. These basic steps will help a healthcare provider prevent patient data theft when an employee leaves the company or is terminated.
- Collect all company owned property such as laptops, cellphones, tablets, ID badges, all relevant passwords/credential information to log in to any of your systems, and any other company material such as handouts from the employee before departure.
- Revoke all computer, systems, network, database access as well as remote access privileges for the former employee. Do not forget to disable building access card keys if you have provided them to the individual.
- Terminate access to the email, voicemail and text messaging systems for the former employee.
- Instruct all remaining doctors and staff to change their passwords. This is done to ensure that passwords that might have been shared with the former employee or those that may have been stolen by a disgruntled employee, can no longer be used to gain access to your systems. Instruct your staff not share passwords with anyone and especially not divulge it to former employees, even if they are good friends with the former employee.
- Depending on the former employees’ job/position, inform clients, important vendors that the employee is no longer employed at your practice and provide them with a new point of contact as needed.
- Set automatic e-mail notification to alert senders that employee is no longer employed at your organization. Make arrangements for how these accounts will be routed to ascertain that your organization will not lose contact with patients and business associates.
- Monitor your systems for any unauthorized attempts to access your patient data.