When team members leave a clinic or research team, their access needs to be removed immediately to prevent former team members from accessing records they should no longer have access to.
Why is removing access so important?
- We have told patients and research subjects through Privacy Practice Notices and research consent forms that we will protect their data and only allow authorized individuals to have access
- Former employees may steal information about patients to persuade them to move to a new practice
- Former employee accounts are more susceptible to abuse because former employees are less likely to notice or report suspicious activity
- State and federal agencies who enforce HIPAA impose penalties for failure to immediately remove access: https://www.hhs.gov/about/news/2020/10/30/city-health-department-failed-terminate-former-employees-access-protected-health-information.html
How is access removed at BU?
Like most things that are security related – it is a team effort. Generally, faculty and staff are responsible for asking email@example.com to remove access to network drives (aka BUMC Y Drive). Similarly, faculty and staff are responsible for removing access to BU Microsoft apps, such as Teams, SharePoint, and OneDrive.
Why is access removal not automatic?
University culture often encourages continued access. For example, because we want to maintain relations with alumni and retirees, their BU Kerberos account is not disabled. So, anyone who has taken a class or retires from BU may continue to have access to BU services after they have left. This makes sense for our academic mission, but not for healthcare and some research activities.
We ask that you please do your part and remember to remove access immediately. We also encourage you to periodically send an email to firstname.lastname@example.org and ask who has access to your network drive and folders, and check who has access to applications you control, such as BU Microsoft or BU REDCap.
Please reach out with any questions.
BUMC InfoSec Officer and HIPAA Security Officer