Traps to Avoid: Giving Ex-Lab Employees Access to PHI

Your lab staff understands the imperative of safeguarding personal health information (PHI) and wouldn't let strangers roam about the facilities freely. But it's easy for them to lower their guard when a former employee comes back to the lab, e.g., to pick up a final paycheck or just make a social call. Ex-employees are a common and virulent privacy threat, even when they leave on good terms. Many a lab has learned this truth the hard way after PHI was compromised by a former employee returning to the scene.

Problem: Ex-Employees Pose Greater Privacy Risks

While ex-employees may look like a familiar face rather than a data security threat, they pose serious privacy risks precisely because they are so familiar. Their familiarity literally opens doors that are firmly closed to strangers. Moreover, their familiarity with your lab and its physical facilities, computers and IT systems empowers them to quickly and easily access the PHI you keep. Just allowing the person to walk to an ex-colleague's work station without escort may be ample opportunity to compromise thousands of records.

Solution: Treat Ex-Employees Like Strangers

Chances are, your lab policies already provide for excluding access of all ex-employees to PHI, including those that had full access when they were employed by your lab. But it's also important to remind reception and other public-facing staff of this policy lest they get lulled into a false sense of security or just feel flat embarrassed having to keep an old colleague away from PHI like some kind of common outsider. Here's a Model Memo you can adapt to deliver that vitally important message.

TOOL:
Model HIPAA Privacy Reminder to Reception and Other Lab Staff

From time to time, former employees may visit ABC Laboratories facilities to pick up personal belongings, visit staff members for professional or social purposes. While ABC Laboratories is generally welcoming of visits from old friends and colleagues, staff are reminded that once individuals leave employment with us, they are no longer entitled to access protected health information (PHI).

As difficult as it may feel personally, ABC Laboratory staff members, particularly receptionists and others that face the public, are reminded that for purposes of HIPAA and privacy compliance, ex-employees are and must be treated like any other visitors to ABC Laboratories facilities.

In accordance with this Policy, ex-employees must not be permitted to enter any area of the facility where PHI is stored, used or accessible unless the required precautions required for data security under the ABC Laboratories Visitors' Policy are fully implemented.

If an ex-employee refuses to cooperate, please notify your supervisor or ABC Laboratories security immediately. Failure to adhere to this policy that result in compromising data security and making ABC Laboratories PHI accessible to ex-employees will result in discipline up to and including termination, regardless of whether the ex-employee commits or attempts to commit any actual breaches.