That doesn't absolve an employee (or ex-employee) of the covered entity going about and abusing the access they do have.