OCR Warns Health Care Industry of Risks with Previous Employees

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, including the healthcare industry.” We can confirm this is true.

The OCR further states that when an employees is terminated or quits, “it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI)…”

The OCR provides “tips” for health care entities to prevent unauthorized access to PHI by former employees. Here they are: 

  1. Develop a checklist of standard procedures to complete when an employee leaves, including notifying the IT department or security personnel of their departure.
  1. Use logs to document when access to PHI is granted or changed.
  1. Terminate electronic and physical access to PHI as soon as possible.
  1. Consider using alerts to notify appropriate departments of actions to take when an account has not been used for a number of days, which will help identify accounts that should be permanently terminated.
  1. De-activate or delete user accounts of former employees, including disabling or changing their user IDs and passwords.
  1. Implement audit and review procedures to catch access to PHI after an employee leaves.
  1. Implement procedures regarding physical and remote access to PHI, including taking back devices, changing security codes for physical and electronic access and clearing PHI from personal devices, and terminate all remote access.
  1. Change the passwords of administrative or privileged accounts that a former employee had access to.

Covered entities and business associates may consider taking the guidance of OCR when it is given as it gives the healthcare industry insight into the issues OCR is looking into and what actions it considers appropriate for covered entities and business associates to take in response to those issues.

To access the OCR newsletter, click here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide