164.308(a)(3)(ii)(C) – Termination Procedures (Addressable)
Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in the Workforce clearance procedures paragraph of section 164.308.
Illustrative Controls and TIBCO LogLogic Solution
Administrators must demonstrate that user access privileges are modified and revoked in a timely manner upon job change or termination. Review reports and alerts on account activities, accounts created or deleted, group members added or deleted, and successful logins to VPN concentrators and critical servers.
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed. When a person changes jobs or is terminated from a company, user access privileges must be modified according to the company’s business guidelines.
To satisfy this requirement, administrators must periodically ensure that only current and authorized employees have access to electronic protected health information systems. Administrators must ensure that all terminated users have been disabled. In addition, administrators must ensure that logins to servers as well as permissions assigned to users who changed jobs are appropriate for the new role they are in.
To ensure that the requirements listed in the preceding section are met, administrators must review reports of all user deletions and group member modifications. This ensures that terminated users are removed and users who changed jobs have been removed from the appropriate groups.
TIBCO LogLogic access reports and alerts that detail accounts and groups being removed are used to validate that access to electronic protected health information has been terminated as part of this addressable Implementation specification. Access reports and alerts are reviewed to ensure that anyone terminated does not retain access or has any system or network activity following the termination.
Reports and Alerts
Use the following link or reference to see the 164.308(a)(3)(ii)(C) reports and alerts: 164.308(a)(3)(ii)(C) – Termination Procedures (Addressable).