Information Governance Meets Employee Turnover

Building your HIT checklist

According to HealtheCareers Network, a career hub for the healthcare industry, shortages of qualified primary care, specialist physicians and nurses are ahead.1 IT staffing woes are also reported. Overall, almost 73 percent of healthcare employers surveyed in 2015 expected to have the same or more job openings from the prior year.2

With so many available positions, experienced healthcare professionals have more employment options than ever before-leading to greater workforce instability for hospitals and health systems. However, does the plethora of open positions also create higher levels of employee turnover? Compensation Data Healthcare, surveying 10,250 healthcare facilities, says yes.3

The average total turnover rate for healthcare employers in 2015 was 19.2 percent, according to the survey. For large health systems, this means hundreds of transitions per year, added costs and heightened privacy risk. This article explores the effects of employee turnover on healthcare organizations and more specifically, how transitions impact privacy, security and HIPAA compliance.

High Costs of Healthcare Turnover

The direct, hard-dollar impact of employee transitions includes separation, recruitment and onboarding costs. And while positions remain vacant, overtime hours for existing staff and/or outsourced services to manage the workload create additional expense. Indirect expenses are more difficult to measure in dollars, but are equally disruptive for healthcare organizations.

Soft costs include increased pressure on existing staff, patients receiving less attention and missed workflow steps (leading to errors and mistakes). Time required by new employees to learn organizational practices, workplace norms and team behaviors is also hard to quantify, but important to recognize.

Within the areas of privacy, security and HIT, employee transitions create a ripple effect. Every turnover requires HIT support to ensure system access is terminated and loopholes for information breach are closed. Strong information governance policies in conjunction with human resource procedures must work together to tame the Wild West of employee turnover in healthcare. The first step is to communicate the change and secure all IT systems.

Build a People-Smart IT Checklist

The HIMSS Cybersecurity Survey of 2016 cites too many applications as a barrier to security in healthcare.4 One northwest children’s hospital recently logged several hundred medical applications including 20 to 30 that were directly connected to the organization’s EHR. Beyond human resource policies and procedures, a comprehensive matrix of every software system must be in place. This includes internal systems and those shared with affiliated providers and business associates.

For example, if a former employee was working in an owned or affiliated clinic, both the clinic and hospital applications should be checked. Systems must include more than just the organization’s EHR. Check underneath desks and behind closet doors to ensure each and every niche software application is identified. Commonly overlooked systems include:

  • Patient scheduling
  • Accounting, general ledger and HR
  • Employee and patient portals
  • Breach tracking
  • Mobile communications
  • Financial systems

Even if the clinic was only a business partner of the organization, an information breach is detrimental to everyone involved. This is where a strong information governance plan comes in with these five steps in mind.

  1. Work together with human resources to ensure IT steps are included within all employee termination policies and procedures.
  2. Create a matrix of all software systems across the entire organization, including owned and affiliated care providers, to update during employee transitions.
  3. Notify all shared software vendors and/or business associates of the personnel change.
  4. Test system access using the terminated employee’s login and passwords to ensure changes were effectively implemented across all systems.
  5. Remain diligent. Continually update your software matrix as new applications are added.

It Only Takes One

Information governance is an organizational mindset, not a once-and-done security concern. It only takes one negligent insider to spur a large-scale information breach. The importance of privacy and security diligence as part of an overall organizational governance plan was emphasized at HIMSS16.

At HIMSS16, every information privacy and security session was packed with attendees and solid, practical information governance advice. Angela Rose, MHA, RHIA, CHPS, director, HIM Practice Excellence, AHIMA, reiterated the importance of security diligence, stating an annual risk analysis is no longer sufficient. “If your analysis is more than three months old, it’s out of date,” she said. The same holds true for employee turnover policies and procedures.

The human factor of information governance is real. Employee turnover is an important area to include within your overall HIT privacy and security plan.


  1. HEALTHeCAREERS Network. Available at
  2. “Managing the Talent Gap in Health Care Staffing.” Available at
  3. “Rising Turnover Rates in Healthcare and How Employers are Recruiting to Fill Openings.”
  4. “2015 HIMSS Cybersecurity Survey.” Available at

About The Author