Act Now — Every Minute Counts
Failing to revoke access for a terminated employee is one of the most common — and most preventable — HIPAA security failures. Whether this was discovered hours or weeks after the termination, your immediate priority is the same: cut off access now and determine whether any unauthorized activity occurred.
Step 1: Revoke All Access Immediately
Work through every system the former employee had access to:
- EHR / Practice Management System — Disable or delete the user account
- Email account — Disable login, set up auto-forwarding or out-of-office if needed for business continuity, revoke mobile email access
- VPN / remote access — Remove user from VPN profiles and revoke certificates
- Cloud services — Google Workspace, Microsoft 365, Dropbox, Box — remove from organization and revoke sessions
- Shared passwords or codes — Change alarm codes, shared Wi-Fi passwords, shared login credentials
- Physical access — Deactivate key cards, change locks if keys weren't returned, remove from building access systems
- Vendor portals — Any third-party systems the employee accessed on behalf of the organization
- SSO / Identity provider — Disable at the identity provider level, which typically cascades to all connected apps
Step 2: Review Audit Logs
Once access is revoked, pull audit logs for the period between the employee's termination date and today. Look for:
- Any logins by the former employee after their termination date
- Unusual access patterns (off-hours logins, bulk record downloads, accessing records not related to their role)
- Data exports, downloads, or emails sent to personal addresses
- Changes made to patient records after termination
Document your audit log review with screenshots and timestamps. If you find evidence of post-termination access, escalate immediately — this is a confirmed breach requiring full breach response.
Step 3: Conduct a Breach Risk Assessment
Even if audit logs show no post-termination activity, document a formal risk assessment covering:
- How long the gap in access revocation was
- What PHI the former employee could have accessed
- Whether any activity occurred (based on log review)
- The former employee's role and reason for termination (voluntary vs. involuntary; amicable vs. contentious)
- Whether the individual had taken any actions that suggest intent (e.g., mass downloads before termination)
Step 4: Document Everything
Create a written record of:
- The employee's termination date
- The date access was discovered to still be active
- The date and time all access was revoked (list each system)
- Results of the audit log review
- Risk assessment findings and conclusions
- Whether this is being treated as a breach or a near-miss
Step 5: Fix the Process
This incident happened because your offboarding process failed. Implement these safeguards:
- Offboarding checklist — Create a written checklist of every system that needs access revoked, signed by IT and HR
- Same-day revocation policy — All access must be revoked on the employee's last day, before they leave the building
- Identity provider SSO — Centralizing access through a single identity provider means disabling one account revokes access to all connected apps simultaneously
- Quarterly access review — Audit all active user accounts against current employee rosters quarterly
- Automated offboarding — Integrate your HR system with your identity provider to trigger automatic deprovisioning when termination is recorded