Your medical office staff understands the imperative of safeguarding personal health information (PHI) and wouldn’t let strangers roam about the facilities freely. But it’s easy for them to lower their guard when a former employee comes back to the practice, e.g., to pick up a final paycheck or just make a social call. Ex-employees are a common and virulent privacy threat, even when they leave on good terms. Many a practice has learned this truth the hard way after PHI was compromised by a former employee returning to the scene.
Problem: Ex-employees pose greater privacy risks
While ex-employees may look like a familiar face rather than a data security threat, they pose serious privacy risks precisely because they are so familiar. Their familiarity literally opens doors that are firmly closed to strangers. Moreover, their familiarity with your practice and its physical facilities, computers and IT systems empowers them to quickly and easily access the PHI you keep. Just allowing the person to walk to an ex-colleague’s work station without escort may be ample opportunity to compromise thousands of records.
Solution: Treat ex-employees like strangers
Chances are, your medical office policies already provide for excluding access of all ex-employees to PHI, including those that had full access when they were employed by your practice. But it’s also important to remind reception and other public-facing staff of this policy lest they get lulled into a false sense of security or just feel flat embarrassed having to keep an old colleague away from PHI like some kind of common outsider. Here’s a Model Memo you can adapt to deliver that vitally important message.
