The Quiet Risk Hiding in Your HR Process
Onboarding a new employee gets attention. There is paperwork to sign, training to assign, an EHR account to provision, a workstation to set up. Offboarding, by contrast, often gets handled in pieces over weeks. The employee turns in their badge, IT gets around to disabling the email account, someone eventually remembers to remove them from the EHR — and somewhere in that gap, an active credential belonging to a former employee continues to authenticate against systems holding patient data.
OCR breach reports tell the story plainly: a meaningful share of insider-related incidents involve former employees whose access was never fully revoked. The technical control failed because the process never ran to completion.
Why 24 Hours Is the Right Target
There is no specific HIPAA regulation that says “revoke access within 24 hours.” What the Security Rule does say is that you must implement procedures for terminating access “as soon as the employment ends or the access is no longer required.” In practice, OCR investigators and auditors expect to see same-day or next-business-day revocation. Anything longer needs a written explanation.
A 24-hour standard also matches the operational reality: most legitimate post-employment access requests (forwarding a final email, exporting a personal file) can be completed within that window with help from a current employee. Keeping access live beyond that point starts to look like convenience overriding security.
The Offboarding Checklist
The checklist below covers the bases for a typical mid-size healthcare practice. Print it, put it in your offboarding runbook, and require sign-off on every item.
Hour 0 to Hour 1 (immediate)
- Disable the user's EHR account — do not delete, disable. You may need the audit history.
- Disable the user's email account and revoke active sessions.
- Revoke VPN and remote-access credentials.
- Revoke MFA tokens and recovery codes; remove the user from any push-MFA application.
- Disable the user's HIPAA Security Suite account or change their role to a no-access state.
Hour 1 to Hour 24
- Rotate any shared credentials the user had access to. Yes, this is painful. Do it anyway — that is what makes shared credentials risky in the first place.
- Revoke access to every SaaS tool on your inventory: practice management, billing, scheduling, secure messaging, document storage, training portals.
- Recover and reimage practice-owned devices — laptops, phones, tablets.
- Remove the user from physical access systems: key cards, alarm codes, smart locks.
- Update phone trees, on-call rotations, and patient-facing directories.
- Remove the user from any vendor portals where they were the named contact, and notify those vendors of the new contact.
Within the First Week
- Audit the user's access history for the prior 30 days. Look for unusual export volumes, after-hours access, or access to records outside their scope.
- Document the offboarding completion in the user's HR file with dates and the name of the staff member who performed each step.
- Confirm with managers that the workload reassignment is complete and no one is sharing a former employee's logins as a workaround.
Special Cases That Trip Practices Up
The departing manager or admin
When a Company Admin leaves, an additional layer applies: they may have had the ability to grant access to others, configure security settings, or accept BAAs. Review the audit trail of administrative actions for the prior 90 days and confirm that the new admin understands the configuration that was inherited.
The contractor or locum
Short-term staff are the easiest to forget. Set an access expiration date when the account is created — not a calendar reminder, an actual hard expiration enforced by the system. If the contractor stays longer, renew it; if they leave on schedule, access ends automatically.
The amicable departure
Long-tenured employees often leave on good terms, and there is a temptation to leave their accounts active “just in case we need to reach them.” Resist it. The risk is not malice — it is that an unattended credential is just as exploitable as a hostile one.
The disgruntled departure
If you have any reason to believe the departure is contentious, accelerate the timeline. Revocation should be done before the termination conversation, not after, and the audit review of prior-30-day activity should be expanded to 90 days.
What to Document
For each offboarding, your file should capture:
- Date and time of departure.
- The full list of systems the user had access to (this is why you maintain a current access matrix).
- Date, time, and operator for each revocation step.
- Outcome of the access-history audit.
- Confirmation that practice-owned devices were recovered and reimaged.
If OCR asks how you handle terminations — and increasingly they do — you want to produce a populated checklist, not a verbal description of intent.
Where Tooling Helps
Manual offboarding does not scale and does not produce reliable evidence. Practices that rely on a single person remembering every system are practices that have offboarding gaps. A few high-leverage controls:
- An access matrix that lists every system, who has access, and at what level — updated whenever access changes, not annually.
- A user-management workflow (such as the one in HIPAA Security Suite) where disabling a user produces a timestamped audit record automatically.
- SSO wherever possible, so that revoking one identity revokes downstream access to many systems.
- Periodic reconciliation: at least quarterly, compare your active-employee roster to the active-account list in every major system. Investigate the deltas.
The Manager Role and Offboarding
If you have delegated user management to a Manager in HIPAA Security Suite, make sure the offboarding runbook explicitly names them as the responsible party for the steps within their scope — and that the Company Admin retains responsibility for the steps that fall outside it (billing portals, BAA signatory updates, sub-tenant configurations). Delegation without role clarity is worse than no delegation.
Closing the Loop
The single most useful thing you can do this month is run the reconciliation: pull the active-employee list from HR, pull the active-account list from each major system, and compare. If you find an account belonging to someone who left six months ago, do not panic — document it, disable it, audit its recent activity, and add a calendar item to do this reconciliation every quarter going forward. That single discipline closes more breach paths than any new tool you could buy.
Call to Action
See how HIPAA Security Suite's user management and audit trail can make offboarding evidence-ready — one disabled user, one timestamped record, one less gap in your compliance posture.