When someone leaves a medical practice, the schedule gets covered and the role gets backfilled. Their access to your systems is usually the one thing that stays exactly where it was.
It's not a dramatic problem. Nothing breaks the day someone walks out the door. There's no alert and no error message. That's exactly why it sits unaddressed for weeks or months. The accounts stay active. The logins still work. In a lot of cases, a former employee can still get into systems that hold patient data long after their last shift.
Medical practice employee offboarding is one of those tasks everyone assumes someone else is doing. In most small offices, nobody actually is.
A former employee with a working login to a system that holds patient data isn't a loose end. It's unauthorized access to PHI sitting in plain view.
Why Offboarding Falls Through the Cracks
In a small office, IT tasks land on whoever is closest to them. When someone is hired, getting them working is urgent, so onboarding usually happens even if it's messy. When someone leaves, the urgency runs the other way. The person is already gone. The pressure is to keep the office running, not to track down every account they ever touched.
So the email account stays open in case something important comes in. The EHR login stays active because nobody is sure how to turn it off without calling the vendor. The shared password nobody wanted to change is still the shared password. The laptop goes into a drawer. The building key comes back, but the digital keys do not.
Run that across a few departures a year and you end up with a practice where a real number of active logins belong to people who no longer work there. Nobody decided to do that. It just happened, one busy week at a time.
What Actually Gets Missed When Someone Leaves
The accounts people remember to close are usually the obvious ones. The risk lives in the ones they forget. In a typical small practice, here's what tends to stay open:
EHR and practice management access. Often left active because disabling it feels like a vendor task, so it gets put off and then forgotten.
Microsoft 365 or Google Workspace email. Sometimes kept on with mail forwarding to a manager, which quietly keeps the old mailbox alive instead of closing it.
Remote access and VPN. Anything that let someone work from home almost never gets reviewed on the way out. The connection just stays open.
Third party portals. Labs, e-prescribing, clearinghouses, payer portals, and patient communication tools each have their own login, and each one is easy to miss because none of them are in a single list.
Multi factor tied to a personal phone. If the second factor lived on the employee's own phone, their phone may still be the key to an account after they're gone. This is a close cousin of the shared logins that quietly stay in use.
Email forwarding rules. A rule set up months ago can keep sending copies of practice mail somewhere nobody is watching, long after the account itself looks closed.
None of these show up as a problem on a normal day. All of them are access that should have ended when the employment did.
Why This Is a HIPAA Problem, Not Just Cleanup
It's easy to file offboarding under general tidiness. It isn't. HIPAA expects a practice to remove access when a workforce member leaves. That's not a technicality. It's one of the basic safeguards a practice is supposed to have in place, and it's one of the first things that looks bad if there's ever an incident or a review.
If something goes wrong involving an account that belonged to someone who left six months ago, "we forgot to turn it off" is not a position you want to defend to a patient, an insurer, or a regulator. This is one of the common HIPAA gaps practices don't realize they have.
Cyber insurance carriers are paying attention to this too. Access control and offboarding are showing up on the questionnaires practices have to sign. Answering those honestly is hard when the real answer is that nobody has a process.
The Quieter Risk: Nobody Can Prove It Was Done
Even in practices that do disable some accounts, there's usually no record of what was done. No list of the systems the person had access to. No confirmation that each one was closed. No date.
That missing paper trail is its own risk. If you can't show what access existed and when it was removed, you can't show that offboarding happened at all. It's the same blind spot behind what most small offices can't easily see in their own IT environment. The work might be getting done. There's just no way to prove it, and in healthcare, being able to prove it matters.
What Good Offboarding Actually Looks Like
It doesn't need to be complicated. It needs to be consistent and written down. A workable process for a small practice looks like this:
Disable, do not delete, on the last day. Disabling cuts off access immediately while preserving the mailbox and files you may still need.
Reset any shared credentials the person knew. If a password was shared, it's no longer private the moment they leave.
Reclaim devices and remote access. Laptops, phones, VPN, and any remote tools come off the list the same week, not eventually.
Remove them from every third party portal. Work from an actual list of the systems the practice uses, not from memory.
Kill forwarding rules and detach personal multi factor. Make sure no practice email is flowing to a personal account and no login still depends on their phone.
Write down what was closed and when. One short record per departure. That record is what turns "we think we handled it" into something you can actually show.
The hard part isn't any single step. It's that this has to happen every time, reliably, while the office is busy with everything else. That's exactly the kind of routine that slips when IT is somebody's side responsibility instead of somebody's actual job.
Where This Fits
Offboarding is a small example of a larger pattern. Most small practices don't have an IT strategy problem. They have a loose ends problem, and departures are where those loose ends pile up. It's the same theme as what happens when the only person who understands your IT leaves, pointed at your regular staff instead of your tech.
When TidalPath runs managed IT for a practice, offboarding is a standard checklist, not a scramble. Access gets cut on the right day, third party portals are tracked in one place, and there's a record of what was done. Old accounts get found and closed before they become a problem.
If you're not sure how many active logins in your practice belong to people who left, that's worth knowing. The PracticeReady HIPAA IT Readiness Scorecard surfaces stale accounts and access gaps across the areas that matter most: access controls, documentation, backup verification, and network visibility. It takes a few minutes and gives you a baseline that doesn't come from your current provider.
Book a 15-minute call if you want an outside read on where your practice stands. No pressure, no pitch. Just a straight conversation about your access, your accounts, and what's still open.
Serving small medical practices across Nassau and Suffolk County, Long Island.