DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule contains a “workforce security” requirement, requiring covered entities and business associates to “Implement policies and procedures to ensure that all members of [the]] workforce have appropriate access to electronic protected health information…… , and to prevent those workforce members who do not have access……from obtaining access to electronic protected health information.” To implement this safeguard, covered entities and business associates should implement “workforce clearance procedures.”
This article discusses what measures covered entities and business associates might use to ensure appropriate access.
What are Workforce Clearance Procedures?
Workforce clearance procedures are procedures that should be implemented by a covered entity or business associate “to determine that the access of a workforce member to electronic protected health information ePHI is appropriate.”
Possible examples of clearance "procedures" include different types of background checks, including criminal history background checks. The Department of Health and Human Services requires certain entities to check hires against the List of Excluded Individuals/Entities (LEIE).
HIPAA itself, however, does not require any particular specific background check to be conducted, either pre-employment, post-interview, pre-interview, or during employment. This does not mean, however, that a HIPAA business associate or covered entity is prohibited from conducting a background check as a "clearance procedure."
Employers that participate in federally funded healthcare programs (e.g., Medicare/Medicaid) may be required to check individuals' names against the LEIE. What about covered entities and business associates that have no association with such programs? Must these entities conduct an LEIE check? No. However, these entities may conduct the check, and may perform legally permitted pre-employment background checks as well. Running an LEIE check, even if not required, may reveal a prospective hire has previously engaged in activity that might warrant restricted or limited access to ePHI, or, in some instances, that might warrant not hiring the individual.
In determining what background checks or screening measures are appropriate, the employer (covered entity or business associate) should assess risk, cost, benefit, and feasibility as well as other safeguards it has in place, in deciding whether more detailed screening beyond LEIE screening is appropriate. Employers should be aware of screening requirements imposed by third-party payers. Third-party payers also may require state-specific Medicaid exclusion lists to be checked.
If an employer decides to conduct a criminal or work history background check, it must do so in accordance with federal, state, and local laws, regulations, and ordinances. A properly conducted background check can be a part of an effective compliance program.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article