HIPAA and Staff Terminations — Managing Access to Prevent Breaches

01:00 PM ET | 10:00 AM PT | 12:00 PM CT Duration 90 Minutes

Webinar Includes : All the training handouts , certificate ,Q/A and 90 mins Live Webinar

"Presented By Top HIPAA Expert Jim Sheldon-Dean (Founder and director of compliance services at Lewis Creek Systems, LLC)"

Today, staff in medical offices have access to a number of systems that may be used for the access and management of Protected Health Information. There may be a patient management system that may or may not be integrated with an EHR, an e-mail system, access to file systems, access to government sites and health insurer sites, and access to other agencies’ and facilities’ systems. When a staff member starts, access may be set up for a few, obvious systems, such as e-mail, files, and the EHR, but access can grow over time and access to outside Web sites provided by others is necessary in many disciplines. After a while, a staff member may have access to far more than the e-mail, some files, and the EHR.


What happens when that staff member leaves the organization?  Today there are usually processes for turning off access within the organization for departing staff, but often the access to outside sites is forgotten about, and may be left open.  Depending on the system, staff may be able to access Protected Health Information even after they no longer work in your office, leading to privacy and security issues and breaches.

Terminating staff access is no longer a simple process; it requires a coordinated effort between managers, staff, and HR to ensure that all access that should be terminated is, indeed, properly terminated.  Mishandling staff access can lead to privacy violations, enforcement investigations, and financial penalties.  The time to get your access control procedures under control is now.

HIPAA regulations require that organizations have strict controls on access to electronic Protected Health Information to ensure that only authorized persons have access, and to ensure that access is terminated when no longer needed.  The HIPAA Security Rule has Physical, Technical, and Administrative safeguard requirements that call for having the technology and processes in place to properly establish access and maintain it.  

HR processes usually initiate and document the initial provision of access to systems within the office, such as networks, e-mail, servers, and the EHR.  These systems are also the easiest to terminate access to, since they are controlled by the organization, and in general, a reverse process can be used for disabling access for termination.

Learning Objectives

At the conclusion of the session, participants will be able to:

1. Understand the rules surrounding access controls and their management under HIPAA.

2. Know what are ways that access management controls can be improved to ensure access for terminated staff is        properly terminated.

3. Learn how staff, managers, HR, and IT can work together to improve access controls and the privacy of patient          information.

4. Know how to establish an improved access control process that can help prevent privacy and security issues.

 Why you should attend

Other entities may maintain other systems, such as state Web sites for Medicaid, or insurer Web sites, that your staff needs to access.  Often, access for these sites is arranged by the manager or program director of the staff person, but there may not be a good process for making sure this access is turned off upon a termination of employment.  Depending on the system, access might still be possible from another workstation if the ID and password for the terminated staff are not blocked.

These external services, and other internal services that may not be managed centrally within your organization, are at risk for access being left open if a plan is not developed for managing that access.  

The enabling of access must be tracked in a database (or similar tool) so that it is possible to always know who has access to which sites, and which sites need to be contacted to terminate access upon a staff termination.  The use of this tool must be integrated into the actions of managers and HR alike so that they can work together to make sure unnecessary access is disabled, and privacy and security violations are avoided.

Overall, access management and HR processes need to move into the 21st Century, so that access management methods are relevant and effective as security tools in the modern age of communication.

Areas Covered

•        Learn about the HIPAA requirements for access controls and management.

•        Learn about the HIPAA requirements for properly managing termination of access and conducting regular                  reviews to ensure access is terminated.

•        Find out how the usual internal HR and IT processes may (or may not) work well for some systems, but some            systems may be beyond their knowledge or control.

•        Learn how access can be utilized following a staff termination to damage or illegally access records.

•        Find out about processes that can be instituted to track and manage accesses that are not directly controlled              by IT.

•       Learn about the HIPAA enforcement penalties that can apply in the event of a breach of Protected Health                   Information.

Who will Benefit

Attendees should include Compliance Officers, Privacy and Security Officers, and leadership and staff in health information management, information security, and patient relations, as well as staff in patient intake and front-line patient relations and any others that are involved in, interested in, or responsible for, patient communications, information management, and privacy and security of Protected Health Information under HIPAA, including:
•        Compliance director
•        CEO
•        CFO
•        Privacy Officer
•        Security Officer
•        Information Systems Manager
•        HIPAA Officer
•        Chief Information Officer

Industries who can attend

This 90-minute online course is intended for professionals in the Healthcare  Industry.

Speaker Profile

Jim Sheldon-Dean

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. 

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C. 

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Back to Top