Northline Technologies
Healthcare IT Team · Oct 21, 2025
Before day one
Have the signed confidentiality and acceptable-use agreement on file — before access is provisioned, not after. Schedule the PHIPA training session for the morning of day one. Confirm which role-based access the new hire actually needs; nobody should land on day one with full EMR admin.
If you don't have a role-based access matrix today, building one is part of every managed IT engagement.
Provision an individual account — never share logins
Shared accounts are the single most common audit failure we see. 'Frontdesk1' might feel convenient, but it makes audit logs useless and PHIPA breach investigations impossible to scope. Every person gets their own account.
Enrol them in MFA on day one — not 'when they have time.' Use an authenticator app and give them a printed quick-start sheet.
Apply role-based access — least privilege wins
Front desk needs scheduling and basic patient demographics. Billing needs claims and payment screens. Clinicians need full charts. Each role gets a template; new hires get assigned to a template, not provisioned by hand.
Document which template each role uses. When someone changes roles, you change the template — not twenty individual permissions.
Devices, mobile, and BYOD
If the staff member uses a clinic-provided device, enrol it in Intune (or your MDM) before handing it over. If they use their personal phone for email — a near-universal reality — enrol the work mailbox under a Mobile Application Management policy so you can wipe just the work data if the phone is lost.
BYOD without device management is one of the riskiest postures a clinic can take. Tighten this up before onboarding the next hire.
The first week and offboarding planning
Day one: PHIPA training, password walk-through, MFA enrolment. Day three: confirm they can do their core workflow without any 'temporary' shortcuts. Day seven: a 15-minute check-in on what felt clunky.
And on day one, build the offboarding checklist for this person — even if they're a permanent hire. The clinics that get caught out are the ones who realised six months after a departure that the ex-employee still had access.
Want a clinic-tailored onboarding template and a paired offboarding checklist? We provide both as part of every PHIPA engagement — book a free assessment to get started.
Key takeaways
- Always provision individual accounts — never share logins.
- Sign the confidentiality agreement before access is granted, not after.
- Apply role-based access from templates, not hand-built permissions.
- Enrol every device in MDM, and use MAM policies on personal phones.
- Build the offboarding checklist on day one — even for permanent hires.