IT Onboarding and Offboarding at Your Medical Practice

A medical assistant left your practice six weeks ago. Her EHR account is still active. Her email still receives patient portal messages. Her login credentials for the practice management system have not been changed. She still has remote VPN access to your network.

This is not unusual. 79% of healthcare organizations have more than 1,000 orphaned accounts — user accounts that remain active after the employee has departed. Each one is an open door to your patient data.

Why This Matters More in Healthcare

Healthcare has the highest insider threat rate of any industry. 70% of security incidents involving threat actors with internal access occur in healthcare settings. Former employees account for a significant portion of these incidents. Some access records out of curiosity. Some take patient lists to a new employer. Some sell credentials on the dark web.

HIPAA makes this your legal problem. Section 164.312(a)(1) of the HIPAA Security Rule requires covered entities to implement technical policies and procedures for access to electronic protected health information (ePHI). Section 164.312(a)(2)(iii) requires automatic logoff. Section 164.308(a)(3)(ii)(C) requires termination procedures — specifically, revoking access when an employee leaves.

OCR has cited access management failures in multiple enforcement actions. Penalties for failure to terminate access appropriately have reached six figures. The violation is not the breach itself — it is the failure to have procedures that prevent unauthorized access.

The 1-Hour Rule for Departures

When an employee leaves — voluntarily or involuntarily — all access to systems containing ePHI should be disabled within 1 hour of their departure. Not by end of day. Not by end of week. Within 1 hour.

This requires coordination between HR, the practice manager, and IT. The moment HR confirms a departure, IT must receive immediate notification to begin the offboarding process. If IT learns about a termination three days later when they notice the person has not logged in, you have a three-day window where a former employee could access patient data.

For involuntary terminations, the process should begin before the conversation happens. IT should be prepared to disable access the moment the employee is notified. For planned departures, the offboarding checklist should start two weeks before the last day.

The Onboarding Checklist

A secure onboarding process sets the foundation for the employee's entire tenure. Rush it, and you create security gaps that persist for years.

Before day one:

• Create a unique user account — never share accounts between employees
• Assign role-based access permissions (minimum necessary for the job function)
• Provision email account with appropriate distribution group memberships
• Set up EHR access with role-specific templates and permissions
• Configure workstation or assign a shared workstation login
• Prepare MFA enrollment instructions
• Generate temporary credentials with mandatory change at first login

Day one:

• Walk the employee through MFA enrollment on their phone or hardware token
• Verify access to every system they need — EHR, email, practice management, billing
• Review and sign the HIPAA workforce confidentiality agreement
• Review and sign the acceptable use policy
• Complete initial HIPAA security awareness training
• Document all systems and access levels granted in the employee's IT record

First week:

• Confirm the employee can perform all job functions without shared accounts or workarounds
• Verify audit logging captures the new user's activity correctly
• Schedule follow-up for any outstanding training modules

The Offboarding Checklist

Offboarding is where most practices fail. The employee is gone, so the urgency feels low. But the risk is highest in the first 72 hours after departure.

Departure day (within 1 hour):

• Disable Active Directory / identity provider account
• Disable EHR access
• Disable email account (do not delete — set to forward to supervisor for 30 days)
• Disable VPN and remote access
• Disable access to practice management and billing systems
• Disable access to any cloud applications (scheduling, telehealth, messaging)
• Revoke badge access to the building and server room
• Collect all practice-owned devices (laptop, phone, tablet, USB drives)
• Collect all physical keys

Within 24 hours:

• Change any shared passwords the employee had access to (WiFi, shared mailboxes, vendor portals)
• Review and revoke access to any third-party SaaS applications
• Remove the employee from distribution lists and shared calendars
• Notify relevant vendors that the employee is no longer authorized

Within 30 days:

• Archive the employee's email according to retention policy
• Transfer ownership of shared files and documents
• Review audit logs for any unusual access in the employee's final 30 days
• Update the IT asset inventory
• Document the completed offboarding in the employee's record

Role-Based Access: Who Needs What

Not every employee needs access to every system. HIPAA's minimum necessary standard requires that workforce members can access only the ePHI they need for their specific job function. Here is a typical access matrix for a medical practice:

• Physician: Full EHR (charts, orders, results, prescribing), email, practice management (schedule), billing (view only), telehealth
• Nurse / MA: EHR (vitals, documentation, medication administration), email, practice management (schedule), patient portal messaging
• Front desk: Practice management (scheduling, registration, insurance verification), email, limited EHR (demographics only), phone system
• Billing staff: Billing system (full access), practice management (insurance, accounts), limited EHR (diagnosis codes, procedure notes), clearinghouse portal
• Office manager: Practice management (full), email, reporting dashboards, vendor portals, HR system

A front desk employee should not have access to clinical notes. A billing specialist should not have access to prescribing functions. These are not just best practices — they are HIPAA requirements.

The Shared Account Problem

Shared accounts are the most common access management violation in small practices. Two nurses use the same EHR login. The whole front desk shares one email account. Everyone knows the "admin" password for the practice management system.

Shared accounts make it impossible to track who accessed what. When a breach investigation asks "who accessed this patient's record on March 15?" the answer cannot be "someone at the front desk." HIPAA Section 164.312(a)(2)(i) requires unique user identification — every person gets their own login.

Shared accounts also make offboarding dangerous. When an employee leaves and the shared password does not change, the former employee still has access. When shared passwords do change, you disrupt every other person who uses that account.

Common Mistakes

No formal process exists. Onboarding and offboarding happen ad hoc. The office manager emails IT when they remember. Sometimes they forget. There is no checklist, no documentation, and no verification.

Access is granted by copying another user's profile. The new nurse gets the same access as the last nurse — including permissions that were added temporarily for a specific project and never removed. Privilege creep accumulates over time until junior staff have administrator-level access.

Offboarding is delayed. HR processes the termination paperwork. IT is not notified for days. The former employee's accounts remain active. In the meantime, automated systems continue sending patient data to the former employee's email.

No audit trail. Nobody documents which systems the employee had access to, what was revoked, when it was revoked, and who performed the revocation. When OCR asks to see your termination procedures, you have nothing to show.

Automating the Process

Manual onboarding and offboarding works for practices with low turnover. But the healthcare industry averages 20% annual turnover. A 30-person practice can expect 6 departures and 6 new hires per year. Each one requires touching 5 to 10 systems. That is 60 to 120 access changes per year — each one a potential error.

Identity management tools can automate much of this process. An identity provider (like Azure AD or Google Workspace) serves as the single source of truth. When a user is disabled in the identity provider, access is automatically revoked across connected systems through SCIM provisioning. One action, every system, immediately.

Even without full automation, a managed IT provider can standardize the process. Documented checklists, ticketing systems that track every step, and quarterly access reviews ensure nothing falls through the cracks. The right email configuration also ensures former employees cannot continue receiving patient communications.

Book a free assessment to review your practice's onboarding and offboarding procedures. We will identify orphaned accounts, audit current access permissions, and help you build checklists that protect patient data at every employee transition. Explore our managed IT services and support plans.