DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the HIPAA regulation that pertains to the security of the workforce. This regulation is known as the HIPAA Security Rule workforce security standard. The standard requires HIPAA-covered entities to ensure that workforce access to ePHI is appropriate. While the standard does not mention background checks by name, conducting those checks is a best practice. Find out more below.
What is the Workforce Security Standard?
The HIPAA Security Rule contains a “workforce security” requirement, requiring covered entities and business associates to “Implement policies and procedures to ensure that all members of [the]] workforce have appropriate access to electronic protected health information…… , and to prevent those workforce members who do not have access……from obtaining access to electronic protected health information.” To implement this safeguard, covered entities and business associates should implement “workforce clearance procedures.”
This article discusses what measures covered entities and business associates might use to ensure appropriate access.
What are Workforce Clearance Procedures?
Workforce clearance procedures are procedures under the workforce security rule that should be implemented by a covered entity or business associate “to determine that the access of a workforce member to electronic protected health information ePHI is appropriate.”
The workforce security rule does not mention background checks by name. This does not mean, however, that a HIPAA business associate or covered entity is prohibited from conducting a background check as a "clearance procedure"; quite the contrary. In fact, the federal government (healthit.gov), in the guidance for its security risk analysis (SRA) tool, states that screening workforce members (e.g., staff, volunteers, interns) with tools like credential verification or background checks to verify trustworthiness, is an effective option to protect the confidentiality, availability, and integrity of ePHI.
What Kinds of Background Checks Might an Employer Conduct?
One type of check, which is generaly required for providers that participate in federally funded healthcare programs (e.g., Medicare, Medicaid), can be run against what is known as the List of Excluded Individuals/Entities (LEIE). This list contains the name of individuals and entities that have been excluded from participation in federally funded health care programs for a variety of reasons, including a conviction for Medicare or Medicaid fraud. An employer can check potential, new, and current hires against the list. If the name of a prospective, new, or current hire appears on the list, an entity would want to review a "match" to determine whether that individual's having access to ePHI is appropriate.
Entities that are not legally required to check names against the list may nonetheless want to do so. Running an "LEIE check" may, for example, reveal that a prospective hire has previously engaged in activity that might warrant restricted or limited access to ePHI, or, in some instances, that might warrant not hiring the individual - that might point to a conclusion that the person's having access to ePHI is not appropriate.
Other potential background checks can include criminal or work history background checks. In determining what background checks or screening measures are appropriate to use, the employer (covered entity or business associate) should assess risk, cost, benefit, and feasibility as well as other safeguards it has in place, in deciding whether more detailed screening beyond LEIE screening is appropriate. Employers should be aware of screening requirements imposed by third-party payers. Third-party payers also may require state-specific Medicaid exclusion lists to be checked.
If an employer decides to conduct a criminal or work history background check, it must do so in accordance with federal, state, and local laws, regulations, and ordinances.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article