Coronavirus (COVID-19): Get the latest information about how Practice Fusion is supporting providers and patients during the outbreak COVID-19 Resources
Andrew Montalvo · Dec 1, 2021

Best Practices for Onboarding and Offboarding Medical Practice Staff

Many medical practices have an organized process when new staff members are hired that extends until the employees are socialized into their new roles. Known as onboarding, this process encompasses organized tasks and procedures that enable new employees to adjust to their new positions and responsibilities. Employee onboarding is the process of helping new hires adjust to the social and performance aspects of their new jobs quickly and smoothly. It helps them learn the attitudes, gain required knowledge, skills, and behaviors required to function effectively in their new role.1

In this article, we’ll discuss onboarding and offboarding best practices for medical offices. How can an organized onboarding process help to introduce new staff to your medical practice’s mission, overall vision, requirements, culture, and expectations? In addition, we’ll cover the crucial roles that both onboarding and offboarding play in protecting your practice, your patients, and the integrity and security of your electronic health record (EHR) system and other sources of sensitive data.

Onboarding best practices for medical offices

Practices’ onboarding policies may include the following:2

  • Submitting a job requisition document for approval by Human Resources or the practice’s office manager
  • Obtaining a background check and drug test (which may be required by some ambulatory practices before a hiring decision is approved, particularly those affiliated with a hospital system)
  • Closing the open position and removing any associated job postings
  • Putting together all documentation that the new employee will need to complete, including contracts or agreements, tax documents, payroll information, and any other new employee forms
  • Providing the employee handbook and information about the practice’s benefits package
  • Assigning required training, such as regarding the Health Insurance Portability and Accountability Act (HIPAA); healthcare fraud, waste, and abuse; and security
  • Submitting requests for the provision and set up of the new hire’s computer, computer screen, keyboard, mouse, telephone, and any other necessary equipment depending on the new employee’s role
  • Ensuring completion of the new hire’s workspace(s), including whatever supplies he or she may need, such as a clean desk and chair, office, and other supplies, etc.
  • Conducting onboarding processes required for medical providers, such as providing specific medical equipment and clothing (e.g., lab coats), setting up the providers’ examination rooms, conducting healthcare credentialing, and performing other required procedures
  • Designating time for the new hire’s orientation
  • Sending a Welcome email to the new employee, welcoming him or her to the practice and providing information about what to expect on the first day
  • Providing a tour of the practice’s facility, introducing the new hire to other practice members, and pointing out restrooms, conference rooms, kitchen, breakroom, and provider offices and examination rooms
  • Providing the new hire with a badge and access code or key and discussing any required security measures
  • Designating a peer mentor for the new hire, selecting an employee in the same role, if possible. For example, if your practice already has physicians’ assistants (PAs), and your practice has just hired a new PA, you’ll want to pair the new PA with an experienced colleague in the same role. Likewise, a current front-office employee should be designated as a new front-office hire’s mentor. The mentor will answer any questions, can assist with training, such as through job-shadowing, and can introduce the new hire to all departmental members.
  • Sending an email to everyone in the practice to welcome and introduce the new employee to the team. Consider briefly describing the new employee’s professional background, interests, and hobbies if he or she agrees. This will help make your new employee feel welcome and encourage team members to introduce themselves and welcome the new hire personally.

Did you notice whether anything was missing in the listing above? Unfortunately, there is a major gap that some ambulatory practices fall into: They may neglect to develop and enforce onboarding processes specific to how new employees access and use their practices’ EHR and other software applications and servers.

Protect your practice, patients, and EHR system when adding and removing staff

It’s critical that your medical practice’s onboarding policy considers several factors specific to new employees’ access and use of your EHR. Part of your onboarding policy should include informing your information technology (IT) team about the new hire to ensure they provide access to all necessary software and an appropriate access level based on the new employee’s specific role,3 including your EHR, email, practice management system (PMS), check-in software, and/or other platforms. They should then provide log-in credentials for new hires so that they can access the EHR and any other applications necessary to conduct their work.

Of course, before the above can happen, your practice must already have a policy in place, based on each employee’s role3 regarding the following:

  • Which applications will new employees need to access—and in contrast, are there any applications where an account should not be set up for the new hire? For example, all healthcare providers will need to access your EHR, but perhaps only certain front-office employees will need to enter data in your practice’s PMS.
  • What specific level of access do new employees need in each application? Using your EHR as an example, what workflows will new hires need to fulfill their job responsibilities? Physicians, advanced practice registered nurses (APRNs), and PAs will need the ability to prescribe medications electronically, place orders, and document clinical visits. However, front-office staff have a different role and of course should not have access to e-prescribing functionality, nor have the ability to place orders. However, they may need to document patient phone calls. Therefore, your practice will want to define the EHR roles that prevent them from e-prescribing or ordering yet gives them the necessary security and permissions to document notes.

As noted above, develop a protocol concerning who should be notified regarding new hires and their hire dates to ensure their account set-up is completed in any necessary applications. If your ambulatory practice is a small one, your protocol may specify which specific employees should be notified about new hires. For example, notify Employee A to set up the new hire’s email account, Employee B to register the new hire in your PMS, and Employee C to create an account and assign appropriate roles, permissions, and security in your EHR.

Minimal necessary disclosure

Not only is proper assignment of roles considered an administrative best practice, it’s also mandated by law. HIPAA requirements necessitate that your EHR setup includes role-based security. Patient information should only be accessed based on “minimum-necessary disclosure” that depends on employees’ specific roles, responsibilities, and required workflows.

In the Practice Fusion EHR, one or more of your staff members will be assigned an Administrator Role, which will give the ability to add New Users to your EHR. Importantly, your practice does not have to create a completely new account with Practice Fusion for new users. Rather, one of the important benefits of using the Practice Fusion EHR is that an Administrative staff user can simply log into his or her account configured for the Administrative role and add up to 10 new user accounts at a time. Further, currently, there is no limit on the number of staff members you can add to your Practice Fusion EHR.

Your onboarding process should also include providing new employees with your practice’s policies concerning how they interact with and store data, such as the following:

  • Required limitations regarding transfer of protected health information (PHI) and other specific sensitive data on external storage devices, e.g., thumb drives
  • An “acceptable use” policy that outlines the expected conduct of users, including using computers for business purposes only and restricting access to malicious websites. This may include the use of a web content filter, which monitors and enforces this policy.
  • Security controls to prevent phishing, including employee training to prevent being victimized by phishing scams and to indicate proper channels to report any attempted phishing attacks.
  • Technical controls that monitor website usage and emails for any signs of phishing activity

Security and the Merit-Based Incentive Payment System Program (MIPS)

MIPS-eligible clinicians must be able to attest “Yes” to reviewing or conducting a security risk analysis, implement security updates, and correct identified security deficiencies.

Your practice’s security policies should include a discussion of specific physical, technical, and administrative security controls that you have in place to protect the integrity, confidentiality, and availability of sensitive information and the safety of staff, patients, and organizational assets. You should also provide information on such policies as part of new employees’ onboarding.

Physical controls

These are security measures that are meant to physically prevent unauthorized access to sensitive information. Your practice’s physical controls may include the use of photo IDs for all employees, closed-circuit surveillance cameras, locked or dead-bolted steel doors, privacy screen protectors, biometrics (such as voice, iris, fingerprint, or other automated methods to recognize and give access to appropriate individuals), and security guards in some cases.

Technical controls

Technical controls use technology to help reduce vulnerabilities in software and hardware. Your practice’s technical controls may include automated software that is installed and configured to protect and secure sensitive data, including:

  • Antivirus software
  • Anti-malware software
  • Spam filtering
  • Encryption
  • Firewalls

Click here to learn about Practice Fusion’s robust data infrastructure, virus protection, spam filtering, and encryption measures to ensure all your patient data is appropriately protected.

Administrative controls

Administrative controls include measures to manage risk and information system security primarily taken by people. These may include onboarding, offboarding, change management, and termination policies as well as auditing any actions taken in your EHR.

What is Offboarding?

As of October 2019, a staggering 72% of employees who have given their notice and announced their resignation have admitted to taking company data within the three months before they left their employer.4

Having an organized termination and offboarding processes is just as important as having robust onboarding procedures. Terminating employees is usually a difficult situation at best, and certain processes and paperwork may be completed hastily, potentially leading to mistakes.5

Therefore, to fully protect your practice, your patients, PHI, and your organization’s assets, it’s essential to have an organized offboarding process. In fact, the HIPAA Security Rule specifies that covered entities should “implement termination procedures for terminating access to electronic protected health information when the employment of a workforce member ends.”

HIPAA rules define covered entities as “(1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS [Health and Human Services] has adopted standards. A business associate is defined as “a person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.”

A practice’s offboarding processes should include the following to be performed by designated departments or individuals, depending on an ambulatory practice’s size and resources:5

  • Conduct any necessary EHR audits–such as to identify any incomplete tasks assigned to the departing user or unsigned notes where the employee is the note owner–to ensure proper reassignment of tasks and finalization of notes.
  • Remove the employee’s access to the practice’s EHR, PMS, and other practice applications immediately upon an employee’s exit or, if possible, even before in cases of termination.
  • Remove the employee’s access to any other user accounts, such as emails and servers.
  • Immediately change administrative passwords if the employee is an administrator and has access to remote desktop applications, servers, etc.
  • Immediately change the security or access code if it is used by all employees.
  • Immediately deactivate access codes, collect any keycards or keys, and take any additional measures that are necessary to prevent the departing employee’s access to the practice.
  • Disable the employee’s remote access to software, servers, virtual privacy networks (VPNs), or other systems and applications.
  • Ensure that no paper files or devices that contain PHI remain in the employee’s possession.

Offboarding for business associates

Don’t forget that it’s also crucial to have processes in place to appropriately offboard any third-party vendors who have physical access to your practice and/or electronic access. It’s crucial to have an appropriate Business Associate Agreement (BAA) in place as part of onboarding new vendors, since they can appropriately be held liable should they violate the terms of your BAA regarding PHI.

Offboarding vendors should include disabling their remote access and inactivating access to administrative accounts. Unfortunately, such steps can be easily overlooked or forgotten without an official offboarding process for vendors and greatly increase the risk of HIPAA violations.

Further protections for your practice, patients, and PHI

There are additional steps that your practice should consider taking regularly to further enhance security in your practice and ensure an optimal offboarding process. These include the following:5

  • In addition to changing a departing employee’s password immediately, consider making a policy to change all administrative passwords every few months or so.
  • If you haven’t previously instituted immediate deactivation of user accounts as part of your offboarding process, now is the time to do so. When instituting such a policy, also be sure to identify and inactivate all former employees’ accounts that may remain active and be used to improperly access your EHR, PMS, servers, and other platforms.
  • Ensure that all practice computers and applications are current with necessary security and software updates.
  • Regularly review or conduct a security risk analysis, implement security updates, and correct identified security deficiencies as required by MIPS.

If you have additional questions about onboarding and offboarding staff in Practice Fusion, visit our Knowledge Base.

References:

  1. Panopato. What is employee onboarding? Published December 10, 2019. Accessed October 1, 2021: Employee Onboarding Defined - What Is Employee Onboarding? (panopto.com).
  2. Indeed. New hire onboarding checklist. 2021. Accessed October 1, 2021: https://www.indeed.com/hire/c/info/new-hire-onboarding-checklist.
  3. Figlietti C. Postimplementation training and electronic health records: optimizing the onboarding process. CIN: Computers, Informatics, Nursing. Lippincott Nursing Center. January 2017. 35(1);3-5. Accessed October 1, 2021: https://www.nursingcenter.com/journalarticle?Article_ID=3944757&Journal_ID=54020&Issue_ID=3944746.
  4. Agnew R. Your employees are taking your data. Infosecurity Group. October 10, 2019. Accessed October 1, 2021: https://www.infosecurity-magazine.com/opinions/employees-taking-data/.
  5. Abyde. Recently offboarded staff? Don’t forget about HIPAA requirements. 2021. Accessed October 1, 2021: https://abyde.com/hipaa-requirements-for-offboarding-staff/.