§164.308(a)(3)(ii)(C): – Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).

Audit Inquiry

Does the entity have policies and procedures in place for terminating access to ePHI when employment or other arrangements with the workforce member ends?

Does the entity terminate access to ePHI when employment or other arrangements with the workforce member ends?

Obtain and review policies and procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member’s employment is terminated or job description changes to require more or less access to ePHI. Evaluate the content in relation to the specified performance criteria.

Elements to review may include but are not limited to:
• Recovery of access control devices and deactivation of information system access upon termination of employment, including voluntary termination and involuntary termination
• Termination of access by an independent contractor or other business associate, if applicable
• Appropriate changes in access levels and/or privileges pursuant to job description changes that necessitate more or less access to ePHI
• Time frames to terminate access to ePHI
• Exit interviews that include a discussion of privacy and security topics regarding ePHI

Obtain and review documentation demonstrating that workforce members’ access to ePHI was terminated. Evaluate and determine whether access to ePHI was terminated in a timely manner and consistent with related policies and procedures.

Obtain and review documentation demonstrating changes in access levels for workforce members with ePHI access. Obtain and review documentation of the job duties of workforce members before and after ePHI access level was changed. Evaluate and determine whether access levels were changed appropriately and in accordance with workforce member job duties.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable