The November Office for Civil Rights (OCR) Cybersecurity Newsletter provided guidance on HIPAA compliance and issues regarding insider threats and requirements for procedures used when an employee leaves the organization.

In the newsletter, the OCR reminded covered entities and business associates that data breaches can be caused by current and former employees.  Additionally, the OCR stated that access management policies and controls are important aspects of HIPAA compliance and can reduce the risk of a breach.  Access management policies and procedures can include ensuring access is terminated when an employee leaves the organization and regular reviews of current access to determine that access has been revoked properly.  Regular reviews can also show accounts that are inactive and covered entities and business associates should determine if that access is still necessary for business purposes.

The OCR also reminded covered entities and business associates that physical access should be revoked when termination occurs.  This might include changing combination locks, security codes, requiring employees to return keys or ID badges, and removing terminated employees form access lists.

Finally, the OCR provided a list of tips to help prevent unauthorized access to PHI by former employees.  Those tips include having documented procedures for all actions that should be completed when an employee leaves the organization.  There should be a checklist of all termination and access-revoking actions.

Another tip is to create alerts in specific systems to notify managers if access has not occurred within a certain number of days.  This would enable management to determine if that access should be revoked.

A third tip is changing passwords to administrative and privileged accounts when an employee with that access is terminated.  This can help protect the organization from a malicious actor creating rogue accounts that may go unnoticed until a review is conducted.

For more information and tips that were provided, you can read the full newsletter here.

If you would like to learn about other policies, procedures, and controls you can implement to help protect your organization from rogue access, join HIPAAgps today.