Failure to revoke access to electronic protected health information (ePHI) for former employees is one of the potential causes of a data breach in healthcare organizations. Just recently Jacobi Medical Center (JMC) in NYC reported a data breach when they discovered that a former employee had accessed emails containing files of ePHI and sent these files to her personal email account. She also sent these files to the email account of her new employer, which is a New York City agency that works closely with her previous employer. According to the former employee, she accessed and sent the subject files to these email accounts in case she had to respond to questions in the future about her past work at JMC.
Even though this employee didn’t have a malicious purpose for her actions, it still constitutes a data breach. Luckily the healthcare organization had security programs that monitor and detect email communications that contain ePHI and so were able to detect this data breach. It however, does not condone the fact that this former employee still had access to the corporate network days after her termination. In fact her access privileges should have been revoked before she walked out the door on her last day. Ensuring the security of ePHI is critical in such circumstances. Technology in and of itself is not the answer. It has to be supported with proper policies and procedures that work in concert to keep patient data secure. Having well documented policies and procedures for employee termination (an employee exit strategy) is the first step. Training your employees to comply with the policy and enforcing it strictly, will help protect ePHI during such transitional periods. Implementing the following termination policies will help your healthcare organization prevent a data breach when an employee resigns or is terminated:
- Collect all company owned property such as laptops, cellphones, tablets, ID badges, all relevant passwords/credential information to log in to any of your systems, and any other company material such as handouts from the employee before departure.
- Revoke all computer, systems, network, database access as well as remote access privileges for the former employee. Do not forget to disable building access card keys if you have provided them to the individual.
- Terminate access to the email, voicemail and text messaging systems for the former employee.
- Instruct all remaining staff to change their passwords. This is done to ensure that passwords that might have been shared with the former employee or those that may have been stolen by a disgruntled employee can no longer be used to gain access to your systems. Instruct your staff not share passwords with anyone and especially not divulge it to former employees, even if they are good friends with the former employee.
- Depending on the former employees’ job/position, inform clients and important vendors that the employee is no longer employed at your organization and provide them with a new point of contact if needed.
- Set automatic e-mail notification to alert senders that the affected employee is no longer works at your organization. Make arrangements for how these accounts will be routed to ascertain that your organization will not lose contact with patients or important business associates.
- Monitor your systems for any unauthorized attempts to access your patient data.