HIPAA Employee Termination Checklist: Protecting PHI When Staff Leave

Employee offboarding is where HIPAA compliance is quietly won or lost. Most security programs pour attention into onboarding, granting access, training new hires, signing confidentiality agreements, and treat departures as an HR formality. But the moment a workforce member leaves is precisely when the risk to PHI spikes: credentials still work, devices are still in a car or a home office, and the person no longer has any job reason to touch patient records. What makes termination distinct is that you are racing the clock to close access that already exists.

What the Security Rule requires

HIPAA names this directly. The Workforce Security standard at 45 CFR § 164.308(a)(3) requires procedures for authorization, supervision, and, at subsection (ii)(C), termination procedures for ending access to ePHI when employment ends or a role changes. Paired with the Information Access Management standard, the expectation is clear: access is granted deliberately, and it is removed just as deliberately. A program that can show how it provisions access but not how it removes it has a visible gap.

A practical termination checklist

Translate the requirement into a repeatable list that HR, IT, and security run together for every departure:

• Disable system access immediately: EHR, email, VPN, remote desktop, and any application holding ePHI, timed to the separation and done same-day for involuntary terminations.
• Recover devices and tokens: laptops, phones, tablets, hardware keys, and any removable media that may hold or access PHI.
• Collect physical access: badges, keys, and parking or facility credentials; deactivate badge IDs in the access-control system.
• Revoke shared and vendor credentials: rotate any shared passwords the person knew and remove them from third-party portals and cloud tools.
• Review audit logs: check record access around the departure for unusual activity or bulk exports.
• Document everything: record what was revoked, by whom, and when, so the offboarding is provable months later.

Termination ties back to your risk analysis

Offboarding weaknesses should surface in your Security Risk Analysis. The risk analysis required by 45 CFR § 164.308(a)(1)(ii)(A) is where you account for orphaned accounts, shared logins, and the systems most likely to be forgotten during a departure, vendor portals, cloud apps, and badge systems are common blind spots. If your risk analysis does not consider what happens when access should end, your offboarding process is running on memory rather than design.

The proposed 2026 Security Rule update

This area is poised to get more demanding. The Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule was published in December 2024 and is not finalized; if adopted, it would allow a 240-day compliance window once the final rule is published. Among its proposals is a requirement to terminate access promptly, with one widely discussed element being notification when a workforce member’s access is changed or removed, and to maintain accurate inventories of who has access to what. Tightening offboarding now is a low-regret move.

How Medcurity helps

Medcurity helps healthcare organizations document access-management and termination procedures, run the Security Risk Analysis that exposes deprovisioning gaps, and keep evidence of those controls audit-ready. Pricing is $499/year (about $42/month) for the core platform; larger organizations with many users and locations can request a quote. The payoff is an offboarding process that consistently closes every door a departing employee could have used.

Frequently Asked Questions

Does HIPAA actually require termination procedures?

Yes. The Security Rule’s Workforce Security standard includes a termination procedures specification at 45 CFR § 164.308(a)(3)(ii)(C), requiring procedures to end access to ePHI when a workforce member leaves or no longer needs access. It is addressable, but for any organization with electronic records the reasonable course is to implement it and document why.

How quickly should we revoke a departing employee’s access?

Access to systems containing ePHI should be disabled as close to the effective separation time as possible, ideally the same day, and immediately for involuntary terminations. The longer an unused account stays active, the larger the window for misuse, and a former employee logging in after departure is a reportable security incident waiting to happen.

What besides login accounts needs to be addressed when someone leaves?

Deprovisioning is broader than passwords. Recover laptops, phones, and tokens; collect badges and physical keys; disable VPN, email, and remote access; revoke shared-system and vendor-portal credentials; rotate any shared passwords the person knew; and remove their access to cloud applications and electronic health record systems.

Should we review audit logs when an employee is terminated?

Yes, especially for involuntary departures or roles with broad PHI access. Reviewing access logs around the separation can surface unusual record access or bulk exports before they become a breach, and documenting that review demonstrates the diligence auditors expect.

Related reading: HIPAA access control best practices and our HIPAA compliance checklist.