In our experience, employers generally have procedures in place that ensure immediate termination of access to an employer’s network and computer systems upon the employee’s termination of employment. The termination of access almost always happens right away. And while you may be thinking, yes this is our procedure, do you have audit controls in place to ensure the access has been properly terminated? If not, you should put some in place right away, especially if you are a covered entity under HIPAA. And remember not only health care providers are covered entities. Self-funded health plans are also covered entities and subject to the HIPAA privacy and security rules.
This week HHS announced a settlement that reinforces the need to have audit controls in place. The settlement that HHS entered into with Memorial Healthcare Systems (MHS) was for 5.5 million dollars … yes, you read that right, I said 5.5 million dollars. MHS had HIPAA policies and procedures that required termination of access when an employee was terminated or no longer needed access to PHI and also required audit of its practices. However, it didn’t actually implement its procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. In this situation, the login credentials of a former employee had been used to access the electronic protected health information maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Further, HHS found that MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.
This settlement announcement should be a reminder to employers that maintain self-funded health plans to ensure not only that you terminate employees’ access to protected health information as soon as the employee is terminated and to make sure that you have a system in place to review whether this is always happening in practice. Further, we have found that while employers are generally quick to terminate access to their computer systems, some employers are not quite as diligent about terminating a former employee’s access to coverage on its vendor websites. For many employers, the majority of the protected health information to which they have access is maintained on the website of its administrative service organization or third-party administrator. We recommend reviewing not only your physical HIPAA policies to ensure that this is addressed, but also making sure that you have operational policies in place to ensure access is terminated not only to your own systems but to those of your vendors.