The Receptionist Who Left Six Months Ago Still Has Full EMR Access: User Account Management for Healthcare Practices

During a compliance review at a four-provider medical practice, I asked the practice manager to show me the list of active users in their EMR system. There were nineteen active accounts. The practice currently had fourteen staff members.

Five accounts belonged to people who no longer worked there. One had left two weeks ago. One had been gone for three months. The other three had departed between six months and two years earlier. All five accounts were active. All five had the same access privileges they had held when employed. None had been disabled.

When I asked the practice manager why the accounts were still active, her response was uncomfortable but honest: “Nobody told me to disable them. IT set up the accounts when people started, but there’s no process for removing them when people leave.”

This practice was in technical violation of HIPAA’s access control requirements. If any of those five former employees had logged into the EMR system — intentionally or accidentally — and accessed patient records, the practice would be liable for a security breach.

The practice manager spent the next hour disabling accounts. But the larger problem remained: there was no system for ensuring this would not happen again.

The Access Control Gap

EMR access management sits at the intersection of two pressures that healthcare practices handle poorly: compliance requirements and staff turnover.

On the compliance side, HIPAA mandates access controls — unique user identification, role-based access, prompt termination of access when no longer needed, and audit trails of who accessed what. These requirements are clear and well-documented.

On the operational side, healthcare practices experience staff turnover rates of 15-25% annually. Receptionists, billing coordinators, dental assistants, and clinical staff cycle through practices with enough frequency that access provisioning and deprovisioning is a regular administrative task, not a rare event.

The problem is that nobody in most small practices owns this task. The EMR vendor or an IT contractor sets up new accounts. The practice manager handles onboarding paperwork. But when staff leave, the departure process focuses on returning keys, collecting uniforms, and processing final payroll — not on disabling system access.

The Role-Based Access Problem

Even when accounts are active for current staff, the access levels are often wrong. A receptionist who was promoted to billing coordinator six months ago still has receptionist-level access — which may be insufficient for her current role, leading her to use a shared login with higher privileges. A dental assistant who moved from clinical to administrative work still has clinical-level access to patient treatment records she no longer needs.

Role-based access means that each user’s EMR permissions should match their current job function — nothing more, nothing less. This principle, known as “minimum necessary access” under HIPAA, requires that staff only access the patient information they need to perform their job duties.

In practice, most small practices have two or three access levels (admin, full access, front desk), and staff are assigned whichever level seems closest to their needs at the time of onboarding. Access levels are never reviewed unless a specific problem arises.

The Departure Checklist

The most critical moment in EMR account management is the moment a staff member leaves. Whether the departure is voluntary or involuntary, the access termination window is the same: within 24 hours, ideally within the hour for involuntary terminations.

The departure checklist for EMR access should include:

1. Disable the EMR login — the primary action. The account should be suspended or deactivated, not deleted (deletion destroys the audit trail of the user’s historical access).
2. Revoke any shared or secondary credentials — if the staff member had access to shared drives, practice management software, email systems, or other clinical systems beyond the EMR, those need to be disabled as well.
3. Review recent access — pull the audit log for the departing staff member’s account for the past 30 days. Look for any anomalous access patterns (accessing records of patients they did not treat, bulk record access, or after-hours access). This is particularly important for involuntary terminations where the staff member may have anticipated their departure.
4. Document the deactivation — record the date, time, and reason for deactivation in the access register. This documentation is essential for compliance audits.
5. Transfer any active work — if the departing staff member had patient communications, pending tasks, or workflow items in the EMR, reassign them before deactivating the account.

The Audit-Ready Practice

When a HIPAA audit arrives — whether triggered by a complaint, a breach investigation, or a random compliance review — the auditor will ask for documentation of your access control procedures. They want to see:

• A current list of all users with system access and their access levels
• Documentation of how access levels are determined (role-based policy)
• Evidence of regular access reviews (quarterly review completion records)
• Offboarding records showing timely access termination for departed staff
• Audit logs showing who accessed what patient information and when

The practice that maintains an access register with provisioning dates, review dates, and deactivation records can produce this documentation in minutes. The practice that does not maintain these records will spend days reconstructing them — if reconstruction is even possible.

The Practical Path Forward

EMR account management does not require expensive identity management software. For a practice with 10-30 staff members, a Google Sheets access register with automated alerts achieves 90% of the compliance benefit at zero software cost.

The keys are consistency and documentation. Every account provisioned is logged. Every departure triggers a deactivation alert. Every quarter, the active accounts are reviewed against the staff roster. Every change is documented with a date and reason.

The staff turnover in healthcare means this is not a one-time setup task — it is an ongoing discipline. But the discipline required is minimal: a few minutes when someone joins, a few minutes when someone leaves, and a quarterly review that takes thirty minutes. The cost of not maintaining this discipline — a HIPAA violation, a data breach, a compliance audit with no documentation — is disproportionately higher than the effort required to prevent it.

Your patient data is your most sensitive asset. Knowing who can access it, verifying that access is appropriate, and ensuring that access ends when employment ends is not an IT luxury. It is a compliance requirement and a patient trust obligation. Build the register. Automate the alerts. And never again discover that someone who left six months ago can still read every patient record in your practice.