Whether a staff departure is amicable or not, it’s vital to formalize and document a process for removing an exiting employee’s IT access.
We all know employees leave for reasons ranging from mild to wild. Whether it is a sudden and unexpected termination of a long-time employee due to a disciplinary action or a new employee who just stopped showing up, maintaining a documented procedure for every employee’s separation is paramount to protecting your practice, no matter the size of your organization.
As the line between friends and coworkers continues to blur, you might think it irrelevant, unnecessary, or even insulting to formalize an employee separation process. Sometimes remaining staff, or the one who is separating, may feel offended if you call your IT support team to disable an e-mail account before the employee is out the door. While office administrators often have few reservations when the employee was terminated for cause, or wasn’t popular in social circles at the office, consistent action on all departing staffers will serve you well in the long run.
Who knows what?
It is often surprising the number of practices that are simply unaware of what their employees have access to. Companies continue to expand their use of Web-based management tools to access their bank accounts, credit cards, hospital credentialing systems, carrier enrollment and contracting systems, EMR solutions, cell phone bills, and any number of other business-critical systems. These systems contain data you would never consider sharing with someone outside of your staff, so why do you have heartburn about taking away access to these systems from an employee when she leaves your practice? The answer is you shouldn’t. You have a responsibility to your practice and your patients to remove a separating employee’s access to these and all of your systems. It is not a matter of like or dislike, or trust or distrust. It is a simple matter of security.
Example Case 1: You have an EMR system with remote access for your staff and providers to work from home when needed. A longtime employee separates on happy terms to retire. You are in no hurry to disable her remote access account to the EMR, months pass, and it slips your mind. The username, password, and Web site address she used to access your EMR is still taped to the bottom of her old home computer keyboard and is sold at her yard sale to someone you don’t know. What is the risk to your practice? What are the risks to your patients’ private records? What if that departed employee who you perceived to be nonthreatening becomes disgruntled by her severance package, and starts snooping through the medical records of the rest of your staff, digging for dirt?
Example Case 2: In this era of identity theft, sometimes security restrictions can be a double-edged sword. What if you fire your office’s accounts payables clerk for cause, and the termination is less than pleasant? Did he have the only login to the company Web site for your company because he volunteered to help develop your Web presence as a side job? When you contact your Web host, did they tell you they will only talk to your separated employee about the account, because he’s the only authorized user? What if a separated employee disables your site, or worse, defaces it? Your Web site could be held hostage by your ex-clerk, and you could be in real trouble.
Fix it before it happens
Now that we have you on the edge of prudent paranoia, let’s fix this problem before it happens.
If you follow a consistent procedure and maintain solid records of employee access, you can protect yourself from many problems. Remind your staff that carrying out these steps promptly and consistently is not a reflection on the separated employee, and it is not a matter of distrust. It is a matter of respecting the integrity of your data systems and ensuring you have been vigilant in protecting them.
Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for since 1999 and in general IT management since 1995. He can be reached via email@example.com.
This article originally appeared in the May 2009 issue of Physicians Practice.