If you have an electronic data management system for your electronic records, then from time-to-time you’ll have to deal with the unpleasant task of revoking access to users….keep in mind that your electronic system is a closed system, meaning that access is controlled at all times. Use these three questions to help you determine when revocation is appropriate and how to manage the process:
1. Under what situations should a user have their access revoked? From a compliance perspective, access should be revoked when required training has lapsed.
Anytime there’s a training revision that impacts an electronic system, you should alert users in advance that training must be completed before the effective date, otherwise access will be revoked….think of this advance notice as common courtesy.
From a business perspective, especially when user licenses are limited, you should periodically run a report to determine how frequently (if at all) each user accesses the system. If it’s been more than one year since activity has been detected, then you should consider approaching management about revoking access to free up licenses. Many times you’ll find out that a user has changed functional roles and no longer needs access.
2. Should there be a grace period after training has lapsed? A grace period means that after training has lapsed, you allow users access to the system for a period of time afterward. From a compliance perspective, you’ve allowed users to deviate from the training requirements and can no longer demonstrate control of the system to an auditor….therefore, you should not allow a grace period. Plus, it also sends a negative message to users that training isn’t that important.
3. Once revoked, how soon should access be restored? It really depends on your business policy….if you have one. Typically, users will quickly complete their training requirements within 24 hours of revocation and expect you to immediately restore access. This isn’t the best use of your time, since you’ll spend hours revoking and restoring access just because a user didn’t complete their training requirements on-time.
It’s best to have a business policy that identifies the minimum amount of time users must wait after revocation has taken place….the next time you send out a courtesy reminder, users will take notice!
Read more in Issue #14 of the Current Quality Newsletter….Controlling Access to Your Electronic Data Management Systems.
