HIPAA SA-3.3: Workforce Security — Termination Procedures
When employees or contractors leave your organization, revoking access to ePHI isn't optional—it's a HIPAA Security Rule mandate. SA-3.3 requires documented procedures for immediate access termination, ensuring protected health information stays protected even after workforce changes. Non-compliance exposes your organization to audit findings and potential enforcement action.
What this means
SA-3.3 requires covered entities and business associates to establish and implement written procedures that immediately revoke or terminate a workforce member's access to ePHI when employment or contractual relationships end. This applies to all systems, applications, and physical access points containing or connected to electronic protected health information. The termination procedures must be triggered automatically or within a defined timeframe based on HR notifications and must be documented in your security policies.
How to comply
- 1.Document a written Workforce Termination Policy that defines roles, responsibilities, and timelines for access revocation
- 2.Create a termination checklist covering all ePHI systems, databases, email, VPN, facility badges, and hardware
- 3.Establish a communication protocol between HR and IT/Security to trigger immediate access reviews upon termination notice
- 4.Implement automated or scheduled access revocation in identity and access management (IAM) systems
- 5.Conduct exit interviews that include confirmation of all ePHI access removals and device return
- 6.Archive or securely destroy all ePHI stored on user devices, removable media, or cloud accounts within defined retention schedules
- 7.Document all termination actions with timestamps and evidence of completion for audit trails
- 8.Review and test termination procedures at least annually to ensure effectiveness
Evidence auditors look for
- Signed Workforce Termination Policy document approved by leadership
- Exit checklist template with sign-offs from IT, Security, and HR
- Active Directory or IAM system logs showing user account disablement dates aligned with termination dates
- Email distribution list removals and application access audit reports
- VPN and remote access revocation logs
- Physical access badge deactivation records
- Device encryption verification and secure data wipe confirmations
- Exit interview forms documenting ePHI access revocation acknowledgment
- Annual policy review and testing documentation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates termination workflows by integrating with your HR systems to trigger immediate access revocation across all ePHI systems, generating audit-ready termination logs and checklists for every workforce departure.
See how GRCWatch handles this control automatically
Start free trial