One of the most difficult things you’ll have to do as an employer, if it ever becomes necessary, is to terminate an employee. In today’s complex employer/employee world, making sure you follow the law is critical. The checklist below compiles some things to remember as you consider terminating an employee. But, as always, seek the advice of your legal professional for your specific situation.
Checklist
- Hear all sides of the story
- If the termination is for an offense or incident that the employee maintains did not occur, or may have occurred differently than you understand it, make certain that you have given the employee a full and fair opportunity to explain his or her side of the story. You should also have spoken to witnesses (if any), heard both sides of the story, looked at relevant documents or other evidence, and not prematurely jumped to a conclusion. Even if you are an at-will employer, it is important to have treated the terminated employee fairly.
- Consider consulting with an employment attorney
- If the termination is involuntary, strongly consider consulting with an employment attorney prior to actually terminating the employee, especially where the employee is a member of a “protected class.”* Even if you are an at-will employer, it is often useful to have written documentation confirming that the termination has taken place for non-discriminatory reasons (e.g., performance problems). If the employee is a member of a protected class, be prepared to discuss with your attorney: (a) the employment history of other protected class members who are (or were) employees, and (b) any history of the same or similar offense(s) having been committed by other employees or former employees, whether or not they are members of protected classes. In addition, certain statutes and public policy prohibits terminating employees because they exercise their rights or complain about their treatment under certain federal and state laws such as wage and hour laws, workers’ compensation laws, family leave laws and workplace safety laws.
- Collect from the employee a hard copy of the signed resignation letter, if applicable. If there is no resignation letter, be sure to document the resignation or the reason for any involuntary termination n and place a copy in the employee’s personnel file.
- Obtain a copy of any severance acceptance and release agreement, if applicable.
- Provide the employee with any required post-employment information (or schedule a timely mailing where permitted by law). This may include continuation of benefits information for health insurance, life Insurance, etc., and retirement plan notices or forms, as applicable.
- Give the employee his or her final paycheck or arrange to mail it, depending on state law requirements.
- Obtain office key(s) (building, office, desk, files, cabinets), ID cards, badges and the like from the employee and cancel any key card access.
- Confirm the employee’s forwarding address and inquire whether the former employee wishes to have his or her contact information disclosed to callers, where appropriate.
- Review any list of company-furnished property received by the employee during his or her employment, and verify that all employer-owned equipment and office related items (computers, cell phone, data disks, flash drives, books, disks, uniforms, etc.) have been returned.
- Locks or lock combinations may need to be changed, as well as the password for any office security and other access codes (such as remote computer access passwords).
- Cancel voicemail and email accounts and change practice software passwords, as applicable. Re-route voice messages as appropriate.
- If the employee had a business credit card, check writing authority and/or any banking responsibilities and cancel these authorizations with the applicable institutions. The same applies to any ordering authority with vendors.
- Inform other employees that the individual is no longer employed and instruct them how to handle phone calls or patient inquiries about the former employee.
- Designate an individual to handle requests for employment verification, and decide beforehand what information will be confirmed.
Note: Dentists who are HIPAA covered entities must comply with the HIPAA privacy, security and breach notification regulations and any applicable state law that is more stringent than, or not contrary to, HIPAA. HIPAA requires a covered entity to designate a security official and a privacy official (the same individual can fill both roles) and to document the designations. When a workforce member is terminated, the privacy and security officials should be given timely notice so that they can take steps to protect patient information from inappropriate access, use and disclosure. Termination procedures should be documented and adhered to consistently.
Here are some examples of steps the privacy and security officials might take when a workforce member is terminated:
- Terminate the individual’s authorization to access workstations, devices and programs that contain protected health information, and document these actions. For example:
- (Terminate, suspend or delete the individual’s electronic user accounts, at a minimum, change the individual’s password(s) to a value unknown to them.)
- (Remove the individual’s electronic access privileges from those systems that contain PHI.)
- Collect any devices belonging to the practice that have been used to access, store or transmit protected health information, such as a laptop or USB drive.
- If the individual has used his or her own electronic device to access protected health information, the device may need to be checked to make sure the protected health information has been securely deleted.
- Determine whether the individual had contact with any of the dental practice’s HIPAA “business associates ” (“BAs”) and, if so, notify the BA(s) that the individual’s authority or permissions on behalf of the practice should be rescinded. A BA is an entity or an individual (other than a workforce member) that does something on behalf of the practice involving PHI (for example, an accountant, attorney, clearinghouse, electronic prescribing gateway or health information exchange organization).
- Collect from the individual all keys that can be used to access electronic or hard copy protected health information (e.g., keys to the dental practice, the business office, filing cabinets and storage units).
- De-activate any key cards that permit access to the facility.
- Change alarm system codes.
Document compliance with the termination procedures, and retain for the period required by HIPAA. HIPAA requires compliance documentation to be retained for six years from the date when it was created, or six years from the date when it was last in effect, whichever is later. Documentation of compliance must be produced in the event of a HIPAA audit or investigation. The privacy and security officials should also implement procedures to monitor whether terminated workforce members or other unauthorized individuals may have access to protected health information. For example: regularly review all suspended accounts for activity or attempted activity and investigate any such activity or attempted activity as a potential breach. Audit termination procedures periodically to ensure effectiveness. There is no prescribed interval between audits; the privacy and security officials must determine a reasonable, prudent solution based on the practice’s HIPAA risk assessment. Document periodic audits and retain for the period required by HIPAA (see above).
*“Protected” class is a term used in anti-discrimination law. The following characteristics are considered "Protected Classes" and persons cannot be discriminated against based on these characteristics: race, color, religion, national origin, age, family status, sex, disability, veteran status, genetic information, and in some states and localities, sexual orientation and/or gender identification.
Adapted from the ADA publication The ADA Complete HIPAA Compliance Kit.