Employee Offboarding SOP Template for Healthcare Teams
Free employee offboarding SOP template for healthcare HR teams. Covers EHR access revocation, HIPAA exit attestation, credentialing updates, and controlled substance access removal.
Purpose
Ensure every departing healthcare employee is offboarded completely, with all system access revoked, HIPAA obligations acknowledged, credentialing records updated, and controlled substance access removed on or before the last day of employment. This SOP protects patient data, maintains regulatory compliance, and prevents unauthorized access to clinical systems after separation.
Scope
Covers voluntary resignations, involuntary terminations, and retirements for all clinical and non-clinical staff with access to protected health information (PHI) or controlled substances. Also covers physicians, advanced practice providers, and contract staff. Does not cover internal transfers between departments, which follow the role-change access review procedure.
Prerequisites
- Written resignation letter or termination notice documented in the HRIS
- Last day of employment confirmed by the department manager
- HR has the departing employee's complete access profile from IT (all systems, badges, keys, devices)
- Credentialing office has the employee's provider file (for licensed clinical staff)
- Pharmacy has the employee's controlled substance access record (for staff with DEA or facility-level access)
Roles & Responsibilities
HR Manager
- Initiate the offboarding checklist in the HRIS on the day the separation is confirmed
- Schedule the exit interview and coordinate final paycheck and benefits termination
- Collect the signed HIPAA Confidentiality Exit Attestation before the employee's last day
IT Administrator
- Revoke all system access (EHR, email, VPN, badge) by end of business on the last day of employment
- Disable the employee's Active Directory account and remove from all security groups
- Collect facility-issued devices (laptop, phone, pager) and wipe data per policy
Department Manager
- Coordinate knowledge transfer and patient care handoff during the notice period
- Verify the departing employee has completed all open documentation in the EHR
- Return department-specific equipment (keys, ID badge, parking pass) to the appropriate office
Pharmacy Director
- Remove the departing employee's access to automated dispensing cabinets (Pyxis, Omnicell)
- Revoke facility-level controlled substance access and update the DEA registrant list if applicable
- Conduct a final controlled substance inventory count for the employee's assigned areas
Procedure
Within 24 hours of receiving the resignation or termination notice, HR enters the separation details into the HRIS: employee name, department, last day of employment, separation type (voluntary, involuntary, retirement), and reason. This triggers automated notifications to IT, Pharmacy, Credentialing, and the department manager. Each party receives their specific offboarding task list with deadlines tied to the last day of employment.
- aEnter the separation record in the HRIS with all required fields
- bVerify the last day of employment with the department manager
- cConfirm the HRIS sent automated notifications to IT, Pharmacy, Credentialing, and the department manager
- dFor involuntary terminations: coordinate with IT to have access revocation ready to execute at the time of notification
Completion Checklist
Key Performance Indicators
EHR access revocation time
100% of departing employees have EHR access disabled by end of business on their last day
Offboarding checklist completion rate
100% of offboarding checklists fully completed within 3 business days of last day
Controlled substance count discrepancies at offboarding
Zero unresolved discrepancies at time of separation
Equipment recovery rate
100% of facility-issued devices recovered within 14 days of last day
Why This Matters for Healthcare
A former employee with active EHR access is a HIPAA breach waiting to happen. The HHS Office for Civil Rights has penalized healthcare organizations for failing to revoke access to ePHI after employee separation. Beyond HIPAA, unrevoked controlled substance access creates DEA compliance and diversion risks. Credentialing gaps — where a departed provider remains on the active roster — can cause billing and malpractice coverage issues. Every item on the offboarding checklist protects the organization from a specific regulatory or legal risk. Skipping even one item can result in penalties, audit findings, or patient harm.
Common Mistakes
- ×Revoking EHR access the next business day instead of on the actual last day — a former employee can access PHI during that gap
- ×Forgetting to revoke access to ancillary clinical systems (PACS, LIS, pharmacy) after disabling the EHR account
- ×Not conducting the final controlled substance count, which leaves potential diversion undetected
- ×Treating the HIPAA exit attestation as optional — without it, the organization has no documented evidence that the departing employee understood their ongoing obligations
- ×Not running the EHR audit log at separation, which makes it impossible to investigate access concerns that surface later
Healthcare-Specific Notes
Healthcare offboarding has uniquely high stakes because of the sensitivity of the data and materials involved. PHI access, controlled substance access, and credentialing status each carry separate regulatory requirements (HIPAA, DEA, Joint Commission). Epic, Cerner, and athenahealth each handle user deactivation differently — IT staff must know the exact procedure for your system. For involuntary terminations of employees with EHR access, the IT deactivation must be synchronized with the termination meeting to prevent retaliatory data access. Automated dispensing cabinet vendors (BD Pyxis, Omnicell) offer remote deactivation capabilities — configure this for same-day access removal.
Frequently Asked Questions
Learn More About Employee Offboarding
For a deeper look at building onboarding documentation, see our complete guide.