Back to Offboarding
Offboarding
Healthcare & Allied Health

IT Access Revocation Checklist for Healthcare & Allied Health

A comprehensive checklist for revoking all IT system access, recovering digital assets, and securing company data when an employee or contractor departs.

Per event
30-60 minutes
15 items
Compliance Note

Includes safeguards for Australian Privacy Principles (APPs), Medicare compliance, and health record management under the My Health Records Act. All patient data handling follows AHPRA guidelines.

Complete Checklist

  • 1
    Disable the employee's primary user account in the directory service
    Critical
  • 2
    Revoke email access and set up an auto-reply or forwarding rule
    Critical
  • 3
    Remove access to all business applications and cloud services
    Critical
  • 4
    Disable VPN and remote access credentials
    Critical
  • 5
    Remove the employee from all shared drives and collaboration platforms
  • 6
    Transfer ownership of shared documents and files to the appropriate person
  • 7
    Revoke access to financial systems and banking platforms
  • 8
    Remove the employee from all email distribution lists and group chats
  • 9
    Change any shared passwords or system credentials the employee had access to
    Critical
  • 10
    Recover the company laptop, phone, and any other IT equipment
  • 11
    Wipe company data from any personal devices used under a BYOD policy
  • 12
    Archive the employee's email mailbox and files for retention purposes
  • 13
    Deactivate the employee's phone extension and voicemail
  • 14
    Update the IT asset register to reflect returned or reassigned equipment
  • 15
    Confirm all access has been revoked and clinical record the completion
    Critical

Frequently Asked Questions

What should we do about shared passwords and accounts the employee knew?

Change all shared passwords and credentials immediately upon departure. This includes social media accounts, shared admin credentials, Wi-Fi passwords, and any system accounts that use shared logins. Implement a password manager and individual account access wherever possible to reduce dependency on shared credentials in the future.

How long should we retain a departed employee's email and files?

Best practice is to archive email and files for at least 12 months to handle any follow-up enquiries, legal matters, or business needs. Some industries have longer mandatory retention periods. Set up email forwarding to the departing employee's replacement during the transition period. Establish a clear data retention policy and follow it consistently.

When should IT access be revoked during the offboarding process?

For voluntary resignations, access is typically revoked at the end of the employee's last working day. For terminations, especially those involving misconduct or sensitive data, access should be revoked simultaneously with or immediately after the termination consultation. Have IT prepared in advance so revocation can happen promptly when triggered.

Need help implementing these checks into your daily operations?

Our team can build custom checklists integrated into your daily operations workflow.

Get a Custom QuoteView Our Services