Terminated Employee Still Has EHR Access: Immediate Steps to Contain the Risk

You just discovered that an employee who was terminated — days, weeks, or possibly months ago — still has active login credentials to your EHR system. Maybe IT flagged a login from an account that should have been disabled. Maybe the former employee accessed their own records, or worse, accessed other patients’ records. Maybe you realized during a routine audit that the account was never deactivated. However you found out, this is a serious HIPAA Security Rule deficiency that requires immediate action and may trigger breach notification obligations.

Immediate Containment: Do This Now

Before you do anything else, disable the terminated employee’s access to every system that contains PHI. This means the EHR, the practice management system, email, remote access tools (VPN, remote desktop), cloud storage, patient portals, billing systems, and any other platform where they could access protected health information. Change shared passwords for any systems where the former employee knew a shared credential. If your practice uses shared logins (which is itself a HIPAA deficiency you need to address), change those passwords immediately.

Do not simply “lock” the account — disable it completely so no authentication is possible. Document the exact date and time of each account deactivation. This timestamp becomes critical evidence in any subsequent breach analysis.

Audit Log Review

Pull the complete audit trail for the terminated employee’s account from the date of termination through the date of deactivation. Under 45 CFR 164.312(b), the HIPAA Security Rule requires covered entities to implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Your EHR should log every login, every record accessed, every record modified, and every export or print request.

Review the logs for any access that occurred after the termination date. Determine how many times the former employee logged in, which patient records were accessed, whether any records were modified, exported, printed, or downloaded, and whether the access pattern suggests targeted snooping or incidental access (such as checking their own records).

If the audit logs show no post-termination access, document that finding. It significantly simplifies your breach analysis. If there was access, preserve the logs as evidence — you will need them for the breach determination and potentially for disciplinary or legal action against the former employee.

Breach Risk Assessment

If the former employee accessed patient records after termination, you must conduct a breach risk assessment under 45 CFR 164.402. Apply the four factors: what PHI was involved, who accessed it, whether it was actually acquired or viewed, and what mitigation has been performed. A former employee who accessed records after termination had no legitimate work reason for the access — it was unauthorized by definition. The question is whether the unauthorized access rises to the level of a reportable breach.

If the former employee only logged in but did not access specific patient records (perhaps the system dashboard loaded automatically), the risk may be low. If they accessed specific records — especially records of patients who were not their own patients during employment — the probability of compromise is high and breach notification is likely required.

Addressing the Systemic Failure

The fact that a terminated employee retained EHR access indicates a breakdown in your workforce offboarding process. Under 45 CFR 164.308(a)(3)(ii)(C), the HIPAA Security Rule requires covered entities to implement procedures for terminating access to ePHI when a workforce member’s employment ends. This is not a suggestion — it is a required implementation specification.

Build or rebuild your offboarding checklist to include immediate deactivation of EHR access (same day as termination, before the employee leaves the building if possible), deactivation of email and all other system accounts, retrieval of physical access credentials (keys, badges, key fobs), retrieval or remote wipe of practice-owned devices, change of shared passwords the employee knew, removal from directory listings and on-call schedules, documentation of the completed offboarding process with dates and responsible party signatures.

The Security Rule Requirements You Need to Review

This incident likely exposes multiple Security Rule deficiencies beyond the access termination failure. Review your compliance with these specific standards:

• Access authorization (45 CFR 164.312(a)(1)): Are user accounts provisioned with role-appropriate access from the start, or does everyone get the same access level?
• Unique user identification (45 CFR 164.312(a)(2)(i)): Does every workforce member have a unique login, or are shared accounts in use? Shared accounts make it impossible to determine who accessed what after the fact.
• Automatic logoff (45 CFR 164.312(a)(2)(iii)): Do systems automatically terminate sessions after a period of inactivity?
• Audit controls (45 CFR 164.312(b)): Are audit logs actually being reviewed, or do they exist only in theory?

Conduct a focused security risk assessment of your access management processes. Document the findings and the remediation steps. This documentation becomes critical if OCR investigates — it demonstrates that you identified the gap and took corrective action.

Legal Considerations

If a former employee accessed patient records after termination, consult with legal counsel about potential civil and criminal liability. Under 42 USC 1320d-6, knowing unauthorized access to PHI can carry criminal penalties. If the former employee accessed records of specific individuals (an ex-spouse, a rival, a public figure), the intentional nature strengthens the case for criminal referral. You may also have civil claims against the former employee for unauthorized access to your systems.

Document everything meticulously. If this matter escalates to an OCR investigation or a patient complaint, your documentation of the discovery, investigation, containment, and remediation demonstrates the good-faith response that influences how OCR approaches enforcement.

Communicating with Affected Patients

If breach notification is required, your notification to affected patients should explain what happened (in plain language), what information was involved, what you are doing about it, and what the patient can do to protect themselves. Be direct and factual. Patients who discover that a former employee had ongoing access to their records will be understandably concerned. A transparent, prompt notification builds more trust than a delayed or evasive one.

Prevention is always less expensive than remediation. Integrate access termination into your HIPAA compliance checklist and verify quarterly that your active user accounts match your current workforce roster. A five-minute quarterly reconciliation can prevent a crisis that consumes weeks of staff time, legal fees, and patient trust.