# Cascades of Tucson — Workforce Termination Procedures **Built:** 2026-04-24 by Howard (ClaudeTools session) — closes Track B B4 in `PLAN-AND-QUESTIONS-2026-04-24.md` **Owner:** Security Official (Mike Swanson / Howard Enos) + CE leadership (Meredith Kuhn) **Review cycle:** Annual, or when a named system changes **HIPAA reference:** 45 CFR §164.308(a)(3)(ii)(C) Termination Procedures (Required) + §164.316(b)(2) Documentation Retention (Required, 6 years — Cascades posture: 7 years) --- ## Policy statement When a Cascades workforce member separates (voluntary or involuntary), their access to ePHI and Cascades systems must be **promptly revoked**, and their employment-period records must be **preserved for at least 7 years** from the date of their last activity or creation (whichever is later). No workforce member's mail, file-share presence, or audit trail may be destroyed prior to the end of the retention clock. --- ## Why 7 years (HIPAA + 1) HIPAA §164.316(b)(2) requires 6 years minimum. Cascades adopts 7 years to (a) buffer against state-law retention overlays (AZ medical records = 7 years post-last-encounter), (b) accommodate civil statute-of-limitations carry-over, and (c) provide a safety margin before any irreversible destruction. --- ## Procedure — at termination Follow this sequence on the last day of work (or as soon as termination is confirmed for involuntary cases): ### Step 1 — Disable sign-in (day-of) - **Active Directory:** Disable user account (`Disable-ADAccount -Identity `). Move to `OU=Excluded-From-Sync` if they were previously synced, so Entra Connect drops the hybrid mapping. - **Microsoft 365:** Block sign-in (`Set-MsolUser -UserPrincipalName -BlockCredential $true` or equivalent Graph call). Revoke active sessions (`Revoke-MgUserSignInSession`). - **ALIS:** In ALIS admin, disable staff profile. If they were linked via Entra SSO, the SSO tie is severed automatically when their M365 sign-in is blocked, but the ALIS staff record stays for audit. - **File shares / VPN / ScreenConnect / anything else:** Revoke per the access matrix in `docs/security/implementation-register.md`. - **Remove from distribution groups, shared-mailbox delegations, shared-phone MSDM roster.** ### Step 2 — Preserve (within 24 hours) - **M365 mailbox:** Convert to **Shared Mailbox** (`Set-Mailbox -Identity -Type Shared`). Shared mailboxes do **not** require a license under 50 GB and are not at risk of default-retention deletion. - **Remove M365 licenses** after shared-mailbox conversion. Free the seat. - **Apply Litigation Hold** if the tenant has Exchange Online Plan 2 (comes with Business Premium): - `Set-Mailbox -Identity -LitigationHoldEnabled $true -LitigationHoldDuration 2557 -LitigationHoldDate (Get-Date)` - 2557 days = 7 years. - Cascades currently on Business Standard → Litigation Hold **not available** until tenant-wide Business Premium purchase (see Q21 in master plan). Interim posture: shared-mailbox conversion + zero deletion = functionally preserves records under default MRM retention. - **Hide from Global Address List** (`Set-Mailbox -HiddenFromAddressListsEnabled $true`). Active staff shouldn't see former-employee addresses in autocomplete. - **Configure forwarding** to successor(s) if there is ongoing external correspondence (vendor invoices, client relationships). Forwarding does NOT satisfy retention on its own — the original mailbox must still exist. ### Step 3 — Document (within 7 days) - **Update the employee record** in Cascades HR with termination date, reason (voluntary/involuntary), access revocation confirmation, mailbox preservation status. - **Entry in `docs/issues/log.md`** or termination ledger: user, date, systems cleaned, who performed the work. - **Add to the 7-year retention tracker** (spreadsheet or doc listing preserved mailboxes + deletion-eligible date): `retention-eligible = termination_date + 7 years`. ### Step 4 — Annual review (every anniversary of their termination) - Verify the shared mailbox still exists (no accidental delete) - Verify Litigation Hold is still enabled (if applicable) and not near expiry - For employees whose retention window has elapsed: - Privacy Officer review: any pending subpoena, audit, or litigation? If yes, extend hold. - If clean: formal decision to either (a) export to offline archive (PST → immutable storage) and then delete, or (b) delete in place. - Document the destruction decision in the retention tracker. --- ## What NOT to do - **Do not delete** a workforce member's M365 user object directly. Deletion puts the mailbox in a 30-day soft-delete window — if not recovered within that window, **all content is permanently destroyed**. For a covered entity handling PHI, that is a §164.316(b)(2) violation and potentially §164.308(a)(1)(ii)(A) Risk Analysis failure to have identified. - **Do not rely on default MRM retention alone without converting to shared.** A licensed user mailbox whose license is removed can have content auto-deleted by default Exchange policies. Shared mailboxes are safer. - **Do not allow the 30-day soft-delete window to lapse** after an inadvertent delete — restore and remediate before day 30. - **Do not skip Step 2 preservation** even for "short-tenure" or "never-logged-in" accounts. If the account existed in production long enough to have any ePHI touch, the retention clock applies. --- ## Incident documentation ### Incident IR-2026-04-24-001 — Improper deletion of 7 orphan mailboxes **What happened:** On 2026-04-22 as part of a pre-Entra-Connect orphan cleanup, 7 M365 user mailboxes were deleted: `ann.dery`, `anna.pitzlin`, `jeff.bristol`, `jodi.ramstack`, `kristiana.dowse`, `nela.durut-azizi`, `nick.pavloff`. The deletion was HR-confirmed at the time but **did not follow the preservation-first procedure** described above. **Why it was wrong:** The 7 mailboxes contained (or plausibly contained, given their roles) ePHI or operationally-relevant correspondence. Deleting them without Litigation Hold, retention policy, or shared-mailbox conversion placed them at risk of permanent destruction at day 30. **Recovery:** On 2026-04-24 at day 2 of the 30-day soft-delete window, all 7 were restored via Graph API (`Restore-MgDirectoryDeletedItem`). Evidence: `reports/2026-04-24-jeff-restore-ashley-access.md` and follow-on retention report. **Post-recovery actions (in progress at time of writing):** Convert each to shared mailbox, remove Jodi Ramstack's unnecessary Business Standard license ($12.50/mo recurring), hide all from Global Address List, place on Litigation Hold when Business Premium is live, enroll all 7 in the 7-year retention tracker with source-date = their original 2026-04-22 deletion date. **Preventive control:** This document (`termination-procedures.md`) and training on it. Future orphan cleanups must follow the preservation-first procedure. **Signed-off:** [Security Official signature + date] / [CE leadership signature + date] --- ## References - `PLAN-AND-QUESTIONS-2026-04-24.md` Track B (B4) - `docs/security/hipaa-review-2026-04-22.md` - `docs/security/risk-analysis-2026-04.md` - `reports/2026-04-22-m365-orphan-deletes.md` (the flawed action this doc remediates) - `reports/2026-04-24-jeff-restore-ashley-access.md` + follow-on retention report