Termination Procedures

The HIPAA Security Rule requires you to implement termination procedures that promptly remove a workforce member’s access to electronic protected health information (ePHI) when employment or another arrangement ends. Operationally, that means a documented offboarding process that triggers identity/account deprovisioning across all systems that can access ePHI, with auditable evidence that access actually stopped. (45 CFR Parts 160, 162, 164)

Key takeaways:

• You need a repeatable offboarding workflow that terminates ePHI access for employees, contractors, temps, interns, and others in your workforce. (45 CFR Parts 160, 162, 164)
• “Termination” includes both end-of-relationship and access removals based on role changes or inappropriate access determinations. (45 CFR Parts 160, 162, 164)
• Auditors look for proof: tickets, timestamps, system logs, and reconciliations that show accounts were disabled everywhere ePHI could be reached. (45 CFR Parts 160, 162, 164)

Termination procedures are one of the most operational parts of the HIPAA Security Rule because the requirement is simple and the failure modes are painfully common: a person leaves, but their credentials still work somewhere. Under 45 CFR § 164.308(a)(3)(ii)(C), you must implement procedures to terminate access to ePHI when a workforce member’s employment ends or when another arrangement ends. (45 CFR Parts 160, 162, 164)

For a CCO, GRC lead, or compliance officer, the fastest path to a defensible program is to treat this as an identity and access management (IAM) control that depends on HR, IT, Security, and department managers. Your job is to make the process explicit, map it to systems that touch ePHI, and require evidence that access was removed. That includes direct EHR access, VPN, email, cloud apps, shared drives, API keys, and any “back doors” like break-glass accounts, local device accounts, or shared credentials.

This page gives you requirement-level guidance: what the rule means in plain English, who it applies to, how to implement it step-by-step, what evidence to retain, and how to avoid exam hangups.

Regulatory text

Requirement (45 CFR § 164.308(a)(3)(ii)(C)): Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends, or as required by access determinations under the related authorization/supervision standard. (45 CFR Parts 160, 162, 164)

Operator interpretation: you must have a documented, followed process that:

1. detects when a workforce relationship ends (or access should end), and
2. removes the person’s ability to access ePHI across relevant systems, and
3. leaves evidence that the removal occurred. (45 CFR Parts 160, 162, 164)

This is a procedural requirement. The exam question is rarely “do you have a policy.” It is “show me three recent terminations and prove access was removed everywhere ePHI is stored, processed, or transmitted.”

Plain-English interpretation of the termination procedures requirement

You need a reliable way to shut off ePHI access for anyone in your workforce when they leave or when access is no longer appropriate for their role. “Workforce” is broader than employees; it includes people under “other arrangement” who work under your control, such as contractors, agency staff, trainees, volunteers, and certain third-party personnel embedded in operations. (45 CFR Parts 160, 162, 164)

Two practical implications trip teams up:

• Role changes are termination events for access. If a nurse moves to a non-clinical role, the old clinical access should end, even if employment continues. (45 CFR Parts 160, 162, 164)
• Access can be terminated based on determinations, not just departures. If supervision/authorization decisions require removal, your procedure must support that path. (45 CFR Parts 160, 162, 164)

Who it applies to

Entity types

• Covered Entities (providers, health plans, clearinghouses) that create/receive/maintain/transmit ePHI and have a workforce with access pathways. (45 CFR Parts 160, 162, 164)
• Business Associates that handle ePHI and maintain workforce access to systems or environments that store or process ePHI. (45 CFR Parts 160, 162, 164)

Operational contexts where this control must work

• HR offboarding for employees and contingent workforce (contractors, temps).
• Third party “embedded” personnel where you provision accounts (EHR accounts, badge access, VPN).
• Remote workforce where access may persist through personal devices, cloud sessions, tokens, and mobile apps.
• High-risk privileged roles: IT admins, EHR super-users, database admins, security engineers.

What you actually need to do (step-by-step)

1) Define “termination events” and triggers

Document what starts the process. At minimum, include:

• Employment end date (voluntary/involuntary).
• End of contract/engagement for non-employees in the workforce.
• Internal transfer or job change that removes need-to-know access.
• Access revocation required by supervision/authorization decisions. (45 CFR Parts 160, 162, 164)

Implementation detail: Tie triggers to authoritative systems. HRIS is often authoritative for employees; a vendor management or procurement system may be authoritative for contractors; department leadership may be authoritative for interns/trainees. Your procedure should name the source and the handoff.

2) Maintain a current “ePHI access surface” inventory

You cannot terminate what you cannot find. Maintain a list of systems and access methods that can reach ePHI, such as:

• EHR/EMR and ancillary clinical systems
• Identity provider (SSO), VPN, email, and cloud storage
• File shares, databases, analytics platforms, and ticketing systems with attachments
• Remote access tools, privileged access tools, and “break-glass” mechanisms
• Mobile device management (MDM) and secure messaging apps (45 CFR Parts 160, 162, 164)

Practical control: Assign each system an “access owner” responsible for confirming deprovisioning completion.

3) Standardize the offboarding workflow

Build a single workflow that works for employees and “other arrangements.” Minimum steps:

1. Initiate offboarding case (ticket/case) with identity, role, manager, termination event type, and effective time.
2. Disable primary identity (IdP/AD/LDAP) and revoke sessions/tokens where feasible.
3. Remove application access for all systems in the ePHI inventory (EHR plus downstream apps).
4. Revoke privileged access and rotate shared credentials where the person had knowledge (admin passwords, shared accounts, service credentials they could access).
5. Recover assets (badges, laptops) and address device access (MDM wipe, certificate revocation) when devices can access ePHI.
6. Document completion with timestamps and responsible parties.
7. Manager attestation that access was removed for any non-standard systems or local tools. (45 CFR Parts 160, 162, 164)

Design tip: Separate “account disable” (immediate) from “account deletion” (later) so you preserve audit logs while still terminating access.

4) Handle edge cases explicitly

Write playbooks for scenarios auditors ask about:

• Involuntary terminations: ensure HR/Security can trigger immediate disablement without waiting for end-of-day processing.
• Leaves of absence: treat as temporary access suspension where appropriate; document reactivation approvals.
• Shared accounts: prohibit where possible; if unavoidable, require credential rotation on termination events.
• Third party support access: if a third party’s personnel are in your “workforce” arrangement, your procedure must cover their accounts too. If they access through the third party’s environment, ensure the contract requires timely removal and you have a way to verify. (45 CFR Parts 160, 162, 164)

5) Add a reconciliation control

Procedures fail quietly unless you test. Implement a periodic reconciliation that compares:

• HRIS/roster of active workforce members
• IdP/AD list of enabled accounts
• EHR user list, VPN users, and other key ePHI systems (45 CFR Parts 160, 162, 164)

Investigate mismatches and document resolution. Auditors treat this as proof your termination procedures work in practice, not just on paper.

6) Build it into governance and accountability

Assign clear owners:

• HR: trigger accuracy and timing
• IT/IAM: identity disablement
• App owners: app-level access removal
• Security/Compliance: oversight, testing, and evidence retention (45 CFR Parts 160, 162, 164)

If you use Daydream to manage GRC workflows, treat termination procedures as a mapped control with system-level tasks, owners, and evidence requests. The fastest wins come from automating evidence collection prompts (tickets, screenshots, exports, logs) and maintaining a living system inventory tied to the control.

Required evidence and artifacts to retain

Keep artifacts that prove procedure design and procedure execution:

Design evidence

• Termination procedures policy/procedure document, including scope and triggers. (45 CFR Parts 160, 162, 164)
• ePHI access surface inventory (systems list, owners, access methods). (45 CFR Parts 160, 162, 164)
• RACI or ownership matrix for offboarding steps. (45 CFR Parts 160, 162, 164)

Execution evidence (for sampling)

• Offboarding tickets/cases with timestamps and completion status.
• IdP/AD disablement logs or screenshots showing account disabled.
• EHR/system user termination confirmation (export/log) showing account disabled or role removed.
• Evidence of session/token revocation where applicable.
• Evidence of privileged access removal and shared credential rotation when relevant.
• Reconciliation reports and remediation notes for mismatches. (45 CFR Parts 160, 162, 164)

Common exam/audit questions and hangups

Expect questions like:

• “Show me evidence for recent departures. When did access end, and in which systems?” (45 CFR Parts 160, 162, 164)
• “How do you handle contractors, students, and volunteers?” (45 CFR Parts 160, 162, 164)
• “How do you ensure access is removed from the EHR and not just AD/SSO?” (45 CFR Parts 160, 162, 164)
• “What about remote access, VPN, mobile apps, or cached sessions?” (45 CFR Parts 160, 162, 164)
• “How do you detect accounts still enabled for people no longer active?” (45 CFR Parts 160, 162, 164)

Hangups usually appear where ownership is unclear, the system inventory is stale, or the organization assumes SSO disablement covers every system.

Frequent implementation mistakes and how to avoid them

• Mistake: Treating HR termination as the only trigger. Fix: define role change and access revocation determinations as triggers in the procedure. (45 CFR Parts 160, 162, 164)
• Mistake: Disabling network login but forgetting app-native accounts. Fix: maintain an app inventory and require app owner confirmation, not just IAM confirmation. (45 CFR Parts 160, 162, 164)
• Mistake: No process for “other arrangements.” Fix: create an intake for contingent workforce provisioning and deprovisioning with an authoritative roster. (45 CFR Parts 160, 162, 164)
• Mistake: Shared accounts persist after termination. Fix: eliminate shared accounts or enforce credential rotation and compensating monitoring documented in the ticket. (45 CFR Parts 160, 162, 164)
• Mistake: Evidence is scattered and not reproducible. Fix: centralize offboarding tickets and attach standard evidence checklists; Daydream-style evidence requests help keep samples consistent.

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog, so this page does not cite specific actions. Practically, termination failures increase the likelihood of unauthorized access to ePHI by former workforce members or by anyone who gains access to their still-active credentials. That elevates breach risk, complicates incident response, and creates audit exposure because the requirement is explicit and easy to test. (45 CFR Parts 160, 162, 164)

Practical execution plan (30/60/90-day)

Time-bound implementation depends on your environment, but you can sequence work into phases:

First 30 days (Immediate stabilization)

• Draft or refresh the termination procedures document, including triggers beyond HR termination. (45 CFR Parts 160, 162, 164)
• Identify all systems that can access ePHI and name a business/technical owner for each. (45 CFR Parts 160, 162, 164)
• Implement a single offboarding ticket type with mandatory fields and an evidence checklist.
• Run a spot check on recent offboardings to find gaps (app accounts, VPN, EHR). Document remediation.

Days 31–60 (Make it repeatable and testable)

• Integrate HR/contractor roster triggers with the offboarding workflow so terminations reliably create tickets.
• Formalize playbooks for involuntary terminations, role changes, and leaves of absence.
• Establish reconciliation between workforce rosters and enabled accounts for key systems. (45 CFR Parts 160, 162, 164)
• Train HR, managers, and system owners on what they must do and what evidence they must provide.

Days 61–90 (Operational maturity)

• Expand reconciliation scope to additional ePHI systems and privileged access pathways.
• Add manager attestation for “shadow IT” and local tools that might store ePHI.
• Build metrics that support oversight without relying on unsourced statistics (for example, counts of exceptions, aging of open offboarding tickets, and recurring root causes).
• In Daydream (or your GRC system), map the control to owners, evidence requests, and an audit-ready evidence package by sample period.

Frequently Asked Questions

Does this requirement apply to contractors and third party staff?

Yes if they are part of your workforce under an “other arrangement” and have access to ePHI through your environment or under your control. Your termination procedures must cover those arrangements, not just employees. (45 CFR Parts 160, 162, 164)

Is disabling Active Directory or SSO enough?

Only if every ePHI-relevant system truly depends on it for access. Auditors commonly expect proof that EHR and other app-native accounts were disabled or had roles removed, not just that the network account was disabled. (45 CFR Parts 160, 162, 164)

What about internal transfers where the person still works here?

Treat the loss of need-to-know access as a termination event for their prior permissions. Your procedure should require role removal in the EHR and any other ePHI systems tied to the old job function. (45 CFR Parts 160, 162, 164)

Do we have to delete accounts when someone leaves?

The requirement is to terminate access. Many organizations disable accounts promptly and delete later under retention needs, so audit logs remain available while access is ended. (45 CFR Parts 160, 162, 164)

How do we prove we terminated access during an audit?

Keep the offboarding ticket with timestamps plus system evidence such as account status exports, logs, or administrative screenshots from the IdP and key ePHI systems. Add reconciliation results to show you detect stragglers. (45 CFR Parts 160, 162, 164)

What if a third party manages the application that holds ePHI?

Your procedure should still define how access is terminated and how you verify it. If the third party provisions access, require timely deprovisioning and confirmation through the contract and collect evidence (such as termination confirmations) in your offboarding record. (45 CFR Parts 160, 162, 164)