Think about the last person who left your practice. Did someone disable their login to your EHR? Their email? Your practice management software? What about the cloud storage where you keep billing records? The patient intake portal?
If you're not certain — and most practice managers aren't — there's a real chance they still have access. Not because anyone made a bad decision. Because no one made any decision at all.
Why This Keeps Happening
Healthcare practices run lean. When someone gives notice, the immediate problem is coverage — who's going to handle their patient load, who's taking over their billing queue, who's picking up their shifts. The IT side of offboarding is easy to forget, and there's no natural moment that forces it.
The deeper problem is fragmentation. In most small practices, there's no single person who owns a complete list of what systems exist and who has access to them. The EHR admin handles the clinical software. The billing manager set up the clearinghouse login three years ago and may have since left themselves. The office manager handles scheduling tools. The front desk person knows the social media passwords. No one has the full picture.
- There's no standard offboarding IT checklist in most small practices
- Access to different systems is controlled by different staff members, none of whom coordinate on departures
- Cloud services are often set up with personal accounts or shared passwords that aren't centrally tracked
- The person responsible for revoking access may themselves leave — taking that institutional knowledge with them
- Many EHR systems don't automatically lock accounts when a user is inactive — they stay open indefinitely
What the Statistics Actually Look Like
This isn't a theoretical risk. The Ponemon Institute's research on insider threats in healthcare consistently finds that former employees represent a significant share of unauthorized access incidents — around 19% of insider-related breaches.
The cases that actually make it into the news are instructive. A former medical billing employee at a multi-site practice accessed 23,000 patient records over three months after her termination — downloading records and forwarding them to a personal email. The access logs showed consistent logins during business hours, as if she were still employed. No one had disabled her credentials. A former dental office manager in another case emailed a patient list to a competitor's practice on her last day, using access she still had for another six weeks after her official end date.
Both were preventable. Both resulted in OCR investigations.
The Access Audit Checklist
Walk through every system your practice uses and ask one question: does this former employee still have an active account? The list is longer than most people expect.
// High-Priority Systems
These are the systems that directly touch patient data. They should be the first accounts disabled on someone's last day — before they leave the building if possible.
- EHR and practice management software (Dentrix, Eaglesoft, Kareo, athenahealth, eClinicalWorks, etc.)
- Email — Google Workspace or Microsoft 365 account
- VPN and remote access tools
- Patient billing portal
- Patient communication platforms (Klara, Luma, Weave, TigerConnect)
- Insurance portals — Availity, Change Healthcare, payer-specific portals
// Commonly Missed Systems
These are the accounts that get forgotten because they're not part of the day-to-day clinical workflow — but they often contain sensitive information or can be used to access patient data indirectly.
- Cloud storage: Google Drive shared folders, Dropbox team folders, OneDrive — especially anything shared with the employee individually
- Online appointment scheduling tools: ZocDoc, Calendly, NexHealth, Phreesia
- Online fax services: eFax, SRFax, RingCentral fax
- Social media accounts — if the employee managed them, change passwords and remove their personal accounts from admin access
- Practice website and any content management systems
- Any personal accounts used for work purposes (personal Gmail forwarding work email, personal Dropbox with work files)
Personal accounts are the hardest to track. If a staff member set up a work process using their personal Google account — creating a shared folder, setting up a forwarding rule, logging into a vendor portal with a personal email — you may have no visibility into or control over that access after they leave. This is a structural risk, not just a process risk.
How to Actually Fix This
The good news is that this doesn't require expensive software. It requires a checklist and a designated owner. Four things to do, in order of impact:
Step 1: Create a written offboarding IT checklist. Every system your practice uses should appear on this list, along with who is responsible for disabling that access. Keep it in a shared location (not someone's personal drive). Update it when you add a new system.
Step 2: Designate one person who owns offboarding every time someone leaves. This is ideally the office manager or practice administrator. They should have admin access — or know who to call — for every system on the checklist. When someone gives notice, this person gets a task with a due date of the employee's last day.
Step 3: Run a quarterly access audit. Pull the user list from every system your practice uses. For each account, verify: is this person still employed? Do they still need this level of access? This catches the creeping problem of former employees, but also the more common problem of current employees who have more access than their role requires.
Step 4: Move toward centralized identity management if your practice size supports it. Google Workspace and Microsoft 365 both offer single sign-on capabilities where one admin can deactivate an account and it cascades across all connected applications. This doesn't solve everything, but it dramatically reduces the number of manual steps required on someone's last day.
The HIPAA Angle
Failing to revoke access when an employee departs isn't just a security problem — it's a direct compliance violation. The HIPAA Security Rule, under 45 CFR § 164.308(a)(3), requires covered entities to implement procedures for terminating access to ePHI when employment ends. This is a required implementation specification, not an addressable one. It's not optional.
The Office for Civil Rights has cited access control failures — including failure to revoke terminated employees' access — in multiple enforcement actions. In OCR's investigation of a breach at a medical practice, investigators noted that the former employee's access had never been revoked and that the organization had no formal offboarding procedure. The absence of a procedure was treated as a separate violation from the breach itself.
If OCR audits your practice, one of the standard questions is: "Do you have a formal process for revoking access when employees terminate?" If the answer is "sort of" or "we try to handle it," that answer becomes part of the record.
A corrective action plan stemming from an access control violation typically requires implementing a formal offboarding procedure, updating your workforce security training, and submitting compliance reports to OCR on a regular schedule — often quarterly for two years. The administrative burden alone is significant, before you account for legal fees and potential fines.
The Bottom Line
Of all the HIPAA risks that small practices face, this is one of the most preventable. Ransomware requires technical defenses. Phishing requires ongoing training. Terminated employee access requires a checklist and the discipline to use it every time someone leaves.
If you're not sure where your gaps are — which systems don't have an offboarding owner, which former employees might still have active credentials — a security risk assessment maps every access path in your practice and identifies exactly where the problems are. It's a more useful document than a list of systems you think you use.