Confidentiality, Privacy and Security

Termination of Access...Thanks Esta Lynn

  • 1.  Termination of Access...Thanks Esta Lynn

    Posted 08-13-2020 09:47
    Esta Lynn posted a response which I think lends itself nicely to an informative compare and contrast on how people are managing this.

    The questions below are within the context that the person referred to was granted access to ePHI appropriately in the past.

    What is the timeframe (example: 24 hours, 2 business days) that an individual's access to ePHI is terminated:
    A. When the person leaves the organization voluntarily (examples: retirement, resignation, hitting the lottery)?
    B. When the person leaves the organization involuntarily (example: termination for cause)?

    Thanks!

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    Posted: 6:46 AM AZ time
    ------------------------------


  • 2.  RE: Termination of Access...Thanks Esta Lynn

    Posted 08-14-2020 08:27
    I like your train of thought on termination of access.   Termination for cause - the termination should be simultaneously with the termination.  That actually works pretty well in my organization.  The IT director takes care of it while the person is being terminated.

    Voluntary termination should be within 24 hours but since there is notice on these (unless they hit the lottery) there is no reason it can not be done on the last day of employment.

    Since you have made me thing about this - I think I will work with IT and HR to develop a quality improvement for collecting  the time it takes to terminate access and see where that takes us.

    Another interesting idea is to check access by BAA's and make sure the BAA does not have access to data prior to the signing of the BAA.

    ------------------------------
    Esta Farmer
    Director Health Information Management
    ------------------------------



  • 3.  RE: Termination of Access...Thanks Esta Lynn

    Posted 08-14-2020 10:27
    Edited by Frank Ruelas 08-14-2020 10:28
    I think you may find an audit an interesting exercise on checking termination timeframes in your policy to what may actually be happening...which may include some long gone employees still having their access in place.

    Good luck!



    Posted: 7:28 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------