The challenge
Three clinics, three disconnected directories, and shared credentials on every EHR workstation
The practice had grown through acquisition: two smaller clinics joined the original location over a five-year period. Each site had its own Active Directory environment, its own IT contact, and its own way of handling user accounts. There was no centralised identity management, no consistent offboarding process, and no way to get a complete picture of who had access to what across all three locations.
The EHR system was the most pressing concern. Staff shared login credentials at workstations: one set of credentials per exam room, not per clinician. HIPAA requires individual user accountability for all PHI access, and shared credentials made that impossible. With a HIPAA audit scheduled, the practice manager knew the current state was indefensible and engaged garrisonOne for a structured remediation programme.
Shared EHR credentials across staff
Exam room workstations used shared logins: no individual accountability for PHI access
No MFA on any system
EHR, email, and practice management accessible with password alone: no second factor anywhere
3 disconnected Active Directory environments
Each clinic site managed identity independently: no unified view, no central policy enforcement
Former staff still active in the system
Employee turnover was high: offboarding was inconsistent and stale accounts had accumulated
HIPAA audit approaching
Shared EHR credentials and lack of access audit trail were direct HIPAA violations in scope for review
Over-privileged admin access
Multiple staff held domain admin rights that were never scoped or periodically reviewed
Our findings
What the access audit found across all three locations
Before designing the identity programme, garrisonOne conducted a full access audit across all three Active Directory environments: mapping every user account, group membership, application access, and admin privilege against current HR records.
17
Ghost accounts found: former staff with active credentials and system access
0
Individual EHR logins in use: all workstations running shared credentials
3
Separate AD environments with no trust relationships and no shared policy baseline
8
Staff with domain admin rights: none with documented business justification
The 17 ghost accounts were the most immediate HIPAA risk. Several belonged to clinical staff who had left the practice: their credentials still granted EHR access, which meant PHI was technically accessible by individuals who were no longer employees. The audit trail for those accounts showed no suspicious logins, but the exposure was real and documentable. All 17 accounts were disabled as a priority action before the broader programme began.
What we did
An 8-week phased identity programme: no clinical downtime
Designed to work around clinical hours and patient care schedules: changes deployed in off-peak windows with rollback procedures at every phase.
Weeks 1 to 2
Access Audit & Ghost Account Remediation
Full inventory of all accounts across three AD environments: matched against current HR records from all three clinic locations. Identified 17 stale accounts, over-privileged admins, and shared service accounts. All ghost accounts disabled immediately. Admin rights reviewed and scoped to minimum required access.
Weeks 3 to 4
Directory Unification with Microsoft Entra ID
Migrated all three on-premises Active Directory environments into a single Microsoft Entra ID (Azure AD) tenant. Established consistent naming conventions, group structures, and access policies across all locations. Preserved existing application access throughout migration: no staff disruption during transition.
Weeks 5 to 6
MFA & SSO Rollout
Deployed Microsoft Authenticator MFA across all 62 staff accounts: phased by location to allow for hands-on onboarding support at each site. Configured SSO for EHR, Microsoft 365, and practice management system: eliminating shared workstation credentials and giving every clinician their own individual login for the first time.
Weeks 7 to 8
HIPAA Documentation & Audit Preparation
Produced the full identity-layer documentation package required for HIPAA audit: access control policy, workforce access procedures, audit log configuration, and evidence of all remediation actions taken. Conducted a pre-audit walkthrough with the practice manager and compliance consultant to review documentation and confirm readiness.
Key deliverables
-
Access audit report: full inventory of all user accounts across three AD environments with ghost account and privilege findings
-
Unified Microsoft Entra ID tenant: all three clinic locations under one identity platform with consistent policies
-
MFA deployment across all 62 staff accounts: Microsoft Authenticator with per-location onboarding support
-
SSO configuration for EHR, M365, and practice management: individual logins replacing all shared workstation credentials
-
HIPAA identity compliance documentation: access control policy, workforce procedures, audit log setup, and remediation evidence
-
Offboarding procedure and access review schedule: standardised process to prevent ghost account accumulation going forward
Outcomes
A unified, HIPAA-compliant identity platform: across all three sites
The practice entered the HIPAA audit with documented, implemented controls for the first time. Individual EHR logins were in place for every clinician, MFA was active on all accounts, and the ghost account backlog had been fully cleared. The auditor found no identity findings: a result that would have been impossible under the previous state.
Passed
HIPAA audit: no identity findings
Access controls documented and implemented: auditor found zero identity-layer deficiencies.
Zero
Shared EHR logins remaining
Every clinician now logs in with their own individual credentials: full PHI access accountability.
17
Ghost accounts removed
Former staff credentials fully revoked: EHR and system access closed for all departed employees.
100%
MFA coverage across all staff
All 62 accounts protected with multi-factor authentication: phased rollout with zero clinical downtime.
1
Unified identity platform across 3 locations
Three disconnected AD environments consolidated into a single Entra ID tenant with consistent policies.
1 login
SSO: one login for all systems
Staff access EHR, M365, and practice management with a single set of credentials: no more password juggling.
"We were sharing EHR logins because that's just how it had always been done. garrisonOne showed us why that was a problem, fixed it without interrupting our patient schedule, and made sure we walked into the HIPAA audit with everything in order. The whole thing was smoother than I expected."
: Practice Manager, Multi-Location Medical Practice, Pacific Northwest
