Avoid the Trap: Giving Ex-Employees Access to PHI

Avoid the Trap: Giving Ex-Employees Access to PHI

Your medical office staff understands the imperative of safeguarding personal health information (PHI) and wouldn’t let strangers roam about the facilities freely. But it’s easy for them to lower their guard when a former employee comes back to the practice, e.g., to pick up a final paycheck or just make a social call.
Ex-employees are a common and virulent privacy threat, even when they leave on good terms. Many practices have learned this truth the hard way after PHI was compromised by a former employee returning to the scene.

While ex-employees may look like a familiar face rather than a data security threat, they pose serious privacy risks precisely because they are so familiar. Their familiarity literally opens doors that are firmly closed to strangers. Moreover, their familiarity with your practice and its physical facilities, computers and IT systems empowers them to quickly and easily access the PHI you keep. Just allowing the person to walk to an
ex-colleague’s work station without escort may be ample opportunity to compromise thousands of records.

The solution? Treat ex-employees like strangers. Chances are, your medical office policies already provide for excluding access of all ex-employees to PHI, including those who had full access when they were employed by your practice. But it’s also important to remind reception and other public-facing staff of this policy lest they get lulled into a false sense of security or just feel flat embarrassed having to keep an old colleague away from PHI like some kind of common outsider. For these reasons, it’s important to have an official policy regarding where ex-employees can be in the office, as well as explaining the policy to your staff face-to-face. This way employees – and possible future ex-employees – all have the same understanding.