Do You Rotate Passwords After an Employee Leaves?

Employee turnover is a fact of life in dental practices. But every departure that isn't followed by a credential audit leaves a door open — sometimes literally — to your patient records, scheduling system, and financial data.

The Credential Problem Is Larger Than It Looks

When a dental office employee leaves, the instinct is to disable their login for Dentrix or Eaglesoft and consider the job done. That's a start, but it covers only one system. Consider how many credentials a typical dental office employee accumulates over time:

• Windows domain login (or local workstation login)
• Practice management system (Dentrix, Eaglesoft, Open Dental)
• Imaging software (Dexis, Apteryx, Romexis)
• Microsoft 365 or Google Workspace
• Patient communication platforms (Weave, Solutionreach, Lighthouse)
• Billing and insurance portals
• Shared Wi-Fi passwords
• Physical access codes (door keypads, alarm systems)
• Remote access tools (if the employee ever worked from home)
• Shared email accounts or generic logins (like "front@yourdentalpractice.com")

Missing even one of these is a potential access point for a disgruntled former employee — or for anyone who learns those credentials second-hand.

What HIPAA Says About This

The HIPAA Security Rule includes explicit requirements around workforce security and access management. Covered entities are required to implement procedures for terminating access to ePHI when an employee leaves — and this includes all systems that can reach protected health information, not just the primary practice management software.

If a former employee accesses your Dentrix data after termination and you haven't documented a proper offboarding process, you are looking at a reportable breach with regulatory consequences. The fact that you forgot to revoke their credentials is not a mitigating factor.

The Shared Password Problem

Many dental practices use shared logins — one username and password for billing, one for the imaging system, one for the front desk scheduling view. This is understandable from a convenience standpoint, but it creates a serious problem at termination time.

When an employee who knows a shared password leaves, the password needs to be changed — and communicated to everyone who still needs it. This is disruptive, easy to overlook, and often doesn't happen.

The right solution is individual accounts for every employee, with role-based access that limits each person to only the systems and data they need to do their job. When someone leaves, you disable their account. One action. No disruption to anyone else. Full audit trail.

A Dental Practice Offboarding Checklist

When an employee leaves — whether voluntarily or not — the following should happen on the same day, ideally before they leave the building:

1. Disable their Windows/domain account immediately. This locks them out of workstations and any domain-authenticated services.
2. Revoke Microsoft 365 / Google Workspace access and sign out active sessions. These platforms have a "sign out of all sessions" option — use it.
3. Disable their login in Dentrix, Eaglesoft, or your practice management system. Don't just change the role — disable the account.
4. Revoke access to imaging software, patient communication platforms, and any billing portals.
5. Change any shared passwords that the employee knew, including Wi-Fi passwords, alarm codes, and door codes if applicable.
6. Revoke VPN and remote access credentials if the employee ever worked remotely.
7. Retrieve any physical keys, badges, or access cards.
8. Document everything — who did what, when. This documentation is your HIPAA evidence if you're ever audited or experience an incident.

Terminations Are High-Risk Moments

It's worth noting that involuntary terminations — when someone is let go unexpectedly — carry a particularly high risk window between when the conversation happens and when access is revoked. It's not uncommon for a disgruntled employee to access systems, copy data, or cause damage in that window.

For involuntary terminations, the ideal approach is to revoke access before or simultaneously with the conversation — which requires coordination between practice management and whoever manages your IT. Having a documented, repeatable offboarding process makes this possible without scrambling.

Does Your Practice Have a Written Offboarding Process?

HIPAA auditors don't just want to know that you revoke access when people leave. They want to see a documented, consistent procedure. A one-page offboarding checklist — reviewed annually and followed every time — is a simple but meaningful piece of compliance evidence.

If your practice doesn't have one, or if you're not confident that your current process covers all the systems above, a technology assessment is a good place to start. We work with Colorado Front Range dental practices to map out every access point, identify gaps, and build processes that hold up under HIPAA scrutiny.