The principle of least privilege — giving each user access only to the systems and data their role requires — is stated in virtually every HIPAA Security Rule guidance document and violated in virtually every home health agency I assess. The violations are not deliberate. They are the accumulated result of practical decisions made under operational pressure: a new supervisor who was given her predecessor's full access profile because it was faster than building a new one; a billing coordinator who was given EHR clinical access to help cover during a staffing shortage two years ago and whose access was never reduced; a former clinical director whose Microsoft 365 account was deactivated but whose EHR access persisted because the two systems have different deactivation processes.
The HIPAA Security Rule requirement for access control reviews is clear: covered entities must implement policies and procedures for authorising access to ePHI based on the workforce member's role, and must review those access rights periodically to ensure they remain appropriate. "Periodically" in HIPAA terminology means often enough to catch the violations that accumulate through staff transitions, role changes, and operational exceptions — which at a home health agency means at minimum quarterly.
What a Formal Access Review Examines
A formal access control review does not ask whether users can log in — it asks whether what users can access after logging in is appropriate for their current role. The review examines:
- Active accounts vs. current workforce: every active account in the EHR, Microsoft 365 or Google Workspace, scheduling system, and billing platform should correspond to a currently employed or contracted workforce member with a legitimate need for access. Accounts belonging to former employees, former contractors, or former volunteers that remain active are an immediate remediation priority.
- Access level vs. current role: a nurse aide who was promoted to clinical supervisor 18 months ago may still have an aide-level EHR access profile that does not reflect her current responsibilities, or — more commonly — may have been given supervisor-level access to a broad set of patient records that exceeds what her specific caseload requires.
- Cross-functional access anomalies: billing staff who have clinical record access beyond what billing functions require; clinical staff who have billing system access; administrative staff who have scheduling access to patient populations outside their assigned branch or region.
- Dormant accounts: accounts belonging to active employees who have not logged in for 30 or more days — which may indicate the account is no longer needed, the employee has changed roles, or the account represents a system the employee does not actually use.
How to Conduct a Quarterly Access Review at a Home Health Agency
The quarterly access review does not need to be a weeks-long audit. For a home health agency of 50–200 staff, a focused quarterly review can be completed in 4–8 hours by the HIPAA Security Officer in collaboration with the EHR administrator and the HR department:
- Step 1: Pull the current active user list from every system containing ePHI — EHR, Microsoft 365 or Google Workspace, scheduling platform, billing system. This is the universe of accounts to review.
- Step 2: Cross-reference against the current HR active employee and contractor roster. Any account that does not correspond to a current workforce member is flagged for immediate deactivation.
- Step 3: For each active account, confirm the access profile matches the current role. Compare the access level in each system against the role-based access matrix — the document that defines what each role should be able to access.
- Step 4: Document all findings — active accounts confirmed appropriate, accounts deactivated, access levels reduced — in the access review log. This log is your HIPAA compliance evidence.
Remediating Excessive Access
When the review identifies excessive access — which it will — remediation must be prioritised by risk. Former employee accounts with active access are the highest priority: deactivate immediately, same day, regardless of what else is on the calendar. Active employee accounts with access exceeding current role requirements: reduce within five business days, with notification to the employee and their supervisor. Document every remediation action with the account affected, the access change made, the date, and the reviewer.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

