Skip to Content

HIPAA - Termination Procedures 164.308(a)(3)(ii)(C)

442  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).


Action Items:
1) Obtain and review policies and procedures for terminating access to EPHI when the employment of, or other arrangement with, a workforce member’s employment is terminated or job description changes to require more or less access to EPHI. Evaluate the content in relation to the specified performance criteria. Elements to review may include but are not limited to: Recovery of access control devices and deactivation of information system access upon termination of employment, including voluntary termination and involuntary termination; Termination of access by an independent contractor or other business associate, if applicable; Appropriate changes in access levels and/or privileges pursuant to job description changes that necessitate more or less access to ePHI; Time frames to terminate access to ePHI; Exit interviews that include a discussion of privacy and security topics regarding ePHI.
2) Obtain and review documentation demonstrating that workforce members' access to EPHI was terminated. Evaluate and determine whether access to EPHI was terminated in a timely manner and consistent with related policies and procedures.
3) Obtain and review documentation demonstrating changes in access levels for workforce members with EPHI access. Obtain and review documentation of the job duties of workforce members before and after EPHI access level was changed. Evaluate and determine whether access levels were changed appropriately and in accordance with workforce member job duties.


Related Documents:
1) Policies and procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member’s employment is terminated or job description changes to require more or less access to ePHI.
2) Documentation demonstrating that workforce members' access to ePHI was terminated.
3) Documentation demonstrating changes in access levels for workforce members with ePHI access.
4) Documentation of the job duties of workforce members before and after ePHI access level was changed.


Additional Guidance:
Termination procedures must be implemented to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges. Whether the employee leaves the organization voluntarily or involuntarily, procedures to terminate access must be in place.


The same process that is implemented for termination should also be used to change access levels if an employee’s job description changes to require more or less access to EPHI. The procedures should also address the complexity of the organization and the sophistication of associated information systems.


Sample questions for covered entities to consider:
- Do the termination policies and procedures assign responsibility for removing information system and/or physical access?
- Do the policies and procedures include timely communication of termination actions to insure that the termination procedures are appropriately followed?
Not Rated
Secure Code