The Healthcare Employee Offboarding Checklist Nobody Runs on Time
The Login That Never Got Turned Off
A hygienist gives two weeks’ notice. Her last day comes, there is cake in the break room, and everyone moves on. Three months later, nobody has touched her accounts. Her badge still opens the back door. Her login still works in the practice-management system. Her name is still on the shared email inbox, and her phone still has the Wi-Fi password saved. On paper she left in the spring. On the network she never left at all.
This is one of the most common — and most quietly dangerous — gaps we find in small healthcare practices, and it is exactly why every practice needs a healthcare employee offboarding checklist it actually runs on time. It is not exotic. It is not a zero-day. It is an administrative task that everyone assumes someone else did, and that no one wrote down. When a former employee retains access to systems that hold electronic protected health information (ePHI), the practice is carrying risk it cannot see: a disgruntled leaver, a reused password later exposed in an unrelated breach, or simply an account that no longer has a human watching it.
The good news is that offboarding is a solved problem. It just needs a checklist and an owner. This guide gives you both.
Access should leave the building on the same day the person does. Every day it lingers is a day your practice is trusting someone who no longer works for you.
Why Offboarding Is a Security Rule Issue, Not Just an HR One
Offboarding feels like a human-resources chore — collect the keys, process the final paycheck, wish them well. But from a HIPAA standpoint, revoking access is a required security control, not a courtesy.
The HIPAA Security Rule’s Administrative Safeguards include a “Termination Procedures” implementation specification — 45 CFR 164.308(a)(3)(ii)(C) — under which covered entities are expected to have procedures for terminating access to ePHI when a workforce member’s employment ends. The rule does not dictate the exact steps — that is left to what is reasonable and appropriate for your size — but it does expect you to have a process and follow it. An auditor or a breach investigator asking “how do you make sure former staff can’t reach patient data?” is asking a Security Rule question. “We usually get around to it” is not an answer that ages well.
This connects directly to the broader principle we cover in Why Your HIPAA Risk Analysis Cannot Be a Checkbox Exercise: controls that exist only on paper are not controls. A written offboarding policy that nobody runs on the day someone leaves is exactly the kind of gap a real risk analysis is supposed to surface. Offboarding also belongs in the same family of access decisions as MFA for Healthcare — both are about making sure only the right people can reach ePHI, and only in the right ways.
What Access to Revoke When a Healthcare Employee Leaves
The reason offboarding gets missed is that access is scattered. A single clinical employee in a modern practice may touch a dozen or more systems, many of which the office manager does not think of as “IT.” Before you can revoke access, you have to know where it lives.
Here is a realistic inventory of what one employee might have. Your list will vary, but the categories rarely do:
Identity and email
- Microsoft 365 or Google Workspace account (email, calendar, files)
- Any single sign-on identity that logs them into other apps
- Shared mailboxes they were a member of
Clinical and practice systems
- The practice-management / EHR system (the big one)
- Imaging or radiography software
- Patient-communication platforms (recall, texting, reviews)
- Insurance / clearinghouse portals
- E-prescribing or lab-order accounts
Infrastructure and building
- VPN or remote-access accounts
- Wi-Fi credentials saved on personal devices
- Physical badge or door-code access
- Voicemail / phone-system extensions
The quiet ones people forget
- Password-manager vault access
- SaaS tools bought by a department card (scheduling, marketing, e-signature)
- Cloud storage or backup consoles
- Social-media and Google Business Profile logins
If reading that list makes you realize you are not sure who has access to what, you are not alone — and that uncertainty is itself the finding. A current asset and access inventory is the foundation of every other control; we walk through building one in Where Is Your ePHI?.
The Same-Day Offboarding Checklist
Here is a practical sequence you can adapt into your own written procedure. The goal is simple: on the employee’s last working day, access ends. Not next week, not “when the MSP gets to it.” Same day.
On the last day (or the moment a termination is decided, for involuntary departures):
- Disable, don’t delete, the primary identity. Disable the Microsoft 365 / Google Workspace account immediately. Disabling (not deleting) preserves email and files for legal, billing, and continuity needs while instantly cutting off login. Delete later, on a schedule.
- Reset or revoke session tokens. Disabling an account does not always kill active sessions on a phone or laptop. Force a sign-out of all sessions so a still-open app cannot keep working.
- Revoke EHR / practice-management access. Deactivate their user in the clinical system. If your EHR only supports role changes, move them to a no-access role and record the date.
- Remove them from shared mailboxes and distribution lists so patient email no longer flows to an account they could later regain.
- Turn off remote access. Disable VPN and any remote-support / RMM account tied to them.
- Handle physical access. Deactivate the badge, change any shared door code they knew, and collect keys.
- Rotate shared secrets they knew. This is the step everyone skips. If the person knew the guest Wi-Fi password, a shared portal login, or a break-glass password, those are now compromised and must be changed. (The real fix is to stop using shared logins at all — more on that below.)
- Reassign, then wipe, devices. Retrieve laptops, tablets, and phones. Remote-wipe any personal device that held practice data or saved credentials, if your mobile policy allows it.
- Reassign data ownership. Transfer their files, calendars, and any process they solely owned to a named person so nothing goes dark.
Within a few days:
- Confirm the SaaS long tail. Check the department-card tools — texting platform, e-signature, scheduling, marketing — and remove their seats.
- Update your access inventory. Mark the accounts closed and the date. This is your proof the procedure ran.
Document every step. A one-page offboarding record — who left, what was revoked, by whom, on what date — is the artifact that turns “we have a process” into “here is the process, and here is the evidence we ran it.”
A Role-Based Access Decision Table for a Small Practice
Offboarding is far easier when access was granted deliberately in the first place. The counterpart to a good offboarding checklist is role-based access: people get the access their role requires, and nothing more. Then when someone leaves, you are not guessing what to turn off — you turn off their role.
| Role | Typically needs | Should almost never have |
|---|---|---|
| Front desk / reception | Scheduling, patient communication, limited PM system | EHR admin, financial exports, backup console |
| Clinical staff (hygienist, MA, nurse) | EHR clinical modules, imaging | Billing admin, user management, remote infrastructure |
| Billing / insurance | PM billing, clearinghouse portals | Clinical note editing, IT admin |
| Office manager | Broad PM access, some user management | Domain / server admin, backup deletion |
| Owner / provider | Clinical + oversight reporting | Day-to-day IT admin (delegate to the MSP) |
| MSP / IT | Infrastructure, backups, security tooling (under a BAA) | Standing access to clinical notes beyond support needs |
The principle underneath the table is least privilege: grant the minimum access a role needs to do its job. It makes offboarding a one-line action instead of a scavenger hunt, and it limits the damage any single compromised account can do.
Kill the Shared Login
If your practice has one login that “everyone uses” for the front-desk computer, the portal, or the imaging station, offboarding is nearly impossible — you cannot revoke one person’s access to a credential five people share, short of changing it and re-teaching everyone. Shared logins also destroy accountability: when every action is attributed to “frontdesk,” your audit log cannot tell you who did what.
Individual accounts are the fix. Yes, it is a little more setup. But it is the difference between “disable one user” and “change a password and hope the person who left forgets it.”
That said, individual logins are not always fully within your control. Some dental and practice-management platforms — along with certain imaging, e-prescribing, or lab modules — tie a license to a named user profile, so every additional login is a paid seat. On tight seat counts, or where a vendor caps the number of users, a small practice may be forced into some degree of account sharing. That is a real constraint, not an excuse to ignore, and the right move is to manage it deliberately rather than pretend it isn’t happening:
- Push the vendor first. Ask about role-based or read-only seats, non-clinical viewer licenses, or nonprofit/small-practice pricing before you conclude sharing is unavoidable. Licensing terms are more negotiable than they look, and “we need per-user accountability for HIPAA” is a reasonable ask.
- Minimize the blast radius. Reserve any shared credential for the narrowest possible function, and never let a shared login carry administrative rights. Give the people who genuinely need broad or admin access their own named accounts, and share only the low-privilege seat.
- Compensate with the layers you do control. Named Windows or M365 logins, workstation-level sign-in, and your VPN/remote-access accounts can still be individual even when the clinical app itself is shared — so an offboarding still cuts most of a person’s path to ePHI.
Where a shared credential genuinely cannot be avoided — whether because of a legacy system or a license tied to a user profile — the rule is the same: rotate that shared password every time a person who knew it leaves, and make it an explicit, non-optional line in your offboarding checklist so it is never the step that gets forgotten.
Voluntary vs. Involuntary Departures
Most offboarding runs on a friendly timeline: two weeks’ notice, a planned last day. But the riskiest departures are the unplanned ones. When a termination is involuntary or contentious, the offboarding clock should start before the conversation, not after. Access should be revoked at the moment the person is informed — ideally during the meeting — so there is no window in which an upset employee still holds the keys.
This is one of those places where having the checklist ready in advance pays off. You do not want to be improvising which accounts to disable while an emotional conversation is happening down the hall. The MSP or office manager should be able to execute the revocation in minutes on a prearranged signal.
Where the MSP Fits
For most small practices, the practical answer is to make offboarding a shared, documented handoff between the office and the IT partner. HR knows who is leaving and when; the MSP holds the keys to the identity platform, remote access, and infrastructure. Neither can do it alone. The failure mode we see most often is the assumption gap: the practice assumes the MSP automatically knows someone left, and the MSP never got the message.
Close that gap with a single trigger: when anyone leaves, HR notifies IT the same day, in writing. One email, one channel, every time. Cybersecurity is a team effort, and offboarding is one of the clearest examples — it only works when the human process and the technical process are wired together. This is the same shared-responsibility thinking we bring to the rest of the HIPAA Security Rule: the rule sets the expectation, and a small practice meets it by pairing simple procedures with the right technical execution.
Byzantine Takeaway
Offboarding is not glamorous, and it will never make headlines the way a ransomware attack does. But a former employee’s live account is a standing invitation that costs nothing to close and everything to ignore. The fix is not expensive technology — it is a written checklist, an owner, and the discipline to run it on the day someone leaves rather than the month after.
Where to Start
Pick the single most important account — your EHR — and write down today exactly who can access it and how you would revoke that access. Then do the same for email and remote access. Three lists, one afternoon. That is the start of an offboarding procedure that will hold up whether the next departure is a retirement party or a hard conversation.