When an Employee Leaves Your Practice

May 1, 2009
Jonathan McCallister

Whether a staff departure is amicable or not, it’s vital to formalize and document a process for removing an exiting employee’s IT access.


We all know employees leave for reasons ranging from mild to wild. Whether it is a sudden and unexpected termination of a long-time employee due to a disciplinary action or a new employee who just stopped showing up, maintaining a documented procedure for every employee’s separation is paramount to protecting your practice, no matter the size of your organization.

As the line between friends and coworkers continues to blur, you might think it irrelevant, unnecessary, or even insulting to formalize an employee separation process. Sometimes remaining staff, or the one who is separating, may feel offended if you call your IT support team to disable an e-mail account before the employee is out the door. While office administrators often have few reservations when the employee was terminated for cause, or wasn’t popular in social circles at the office, consistent action on all departing staffers will serve you well in the long run.

Who knows what?

It is often surprising the number of practices that are simply unaware of what their employees have access to. Companies continue to expand their use of Web-based management tools to access their bank accounts, credit cards, hospital credentialing systems, carrier enrollment and contracting systems, EMR solutions, cell phone bills, and any number of other business-critical systems. These systems contain data you would never consider sharing with someone outside of your staff, so why do you have heartburn about taking away access to these systems from an employee when she leaves your practice? The answer is you shouldn’t. You have a responsibility to your practice and your patients to remove a separating employee’s access to these and all of your systems. It is not a matter of like or dislike, or trust or distrust. It is a simple matter of security.

What if?

Example Case 1: You have an EMR system with remote access for your staff and providers to work from home when needed. A longtime employee separates on happy terms to retire. You are in no hurry to disable her remote access account to the EMR, months pass, and it slips your mind. The username, password, and Web site address she used to access your EMR is still taped to the bottom of her old home computer keyboard and is sold at her yard sale to someone you don’t know. What is the risk to your practice? What are the risks to your patients’ private records? What if that departed employee who you perceived to be nonthreatening becomes disgruntled by her severance package, and starts snooping through the medical records of the rest of your staff, digging for dirt?

Example Case 2: In this era of identity theft, sometimes security restrictions can be a double-edged sword. What if you fire your office’s accounts payables clerk for cause, and the termination is less than pleasant? Did he have the only login to the company Web site for your company because he volunteered to help develop your Web presence as a side job? When you contact your Web host, did they tell you they will only talk to your separated employee about the account, because he’s the only authorized user? What if a separated employee disables your site, or worse, defaces it? Your Web site could be held hostage by your ex-clerk, and you could be in real trouble.

Fix it before it happens

Now that we have you on the edge of prudent paranoia, let’s fix this problem before it happens.

  • Assemble a list of all internal systems your company controls access to. This includes your practice management system, EMR, accounting and payroll packages, network, and e-mail systems to name a few. Have all of your department managers help you develop the list, to ensure you identify every system.

  • Assemble a list of all external systems your company accesses via the Web, or via other secure means. Again, brainstorm with every department to assemble this list. You might be surprised to find that if your maintenance staffer quits, no one could log in to schedule your next inspection of your heating and cooling system.

  • Create a “user-access checklist,” which includes a checklist of all of the systems you have collected above, a place for “employee name,” “hire date,” and “termination date.”

  • When you have a new hire, create a copy of the checklist and put her name on it. Record every system you provide access to for this new hire. File the completed checklist in her personnel file.

  • When you provide additional access, or remove access for an employee, update the checklist in their personnel file. During employee annual reviews, ask the employee if they still need access to each system. Perhaps an employee has changed departments, and no longer requires access to a system. Change the access, and updated their user-access checklist.

  • When an employee separates, pull out the user-access checklist from their file. Immediately deactivate all internal accounts and contact all external parties to disable all access to external systems.

  • Ensure you have at least two separate authorized employee users on every account for all of your external systems, which could include anything from your online bill payment system for the electric bill to the username and password for your company credit card’s Web site. This will ensure that if one of them is released, the external company will still talk to the other authorized employee for whom you also set up an account.

  • Keep these records stored and formally maintained. Often, these records are maintained by accounting departments, HR departments, IT, or a central office administrator.

If you follow a consistent procedure and maintain solid records of employee access, you can protect yourself from many problems. Remind your staff that carrying out these steps promptly and consistently is not a reflection on the separated employee, and it is not a matter of distrust. It is a matter of respecting the integrity of your data systems and ensuring you have been vigilant in protecting them.

Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for since 1999 and in general IT management since 1995. He can be reached via physicianspractice@cmpmedica.com.

This article originally appeared in the May 2009 issue of Physicians Practice.