HIPAA

Background check policy

  • 1.  Background check policy

    Posted 09-16-2020 02:41 PM
    Would anyone be willing to share their background check policy with me? jana@lumea.org
    We currently don't have one implemented and I am not sure I can see where HIPAA states that something like a background check is required. If it does, can someone point me to the code citation which indicates something like a background check is necessary?  If it's not required, what other ways are there for satisfying the requirement to ensure security of ePHI and PHI for the facility?

    Thank you for your help!

    ------------------------------
    Jana Rasmussen
    Compliance Manager
    LUMEA, Inc
    Lehi,UT
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Background check policy

    Posted 09-17-2020 07:35 AM
    HIPAA doesn't discuss things like background checks / get into that level of detail. The Privacy Rule requires covered entities or BA's to protect PHI in ALL formats and the Security Rule speaks only to ePHI. Both rules discuss safeguards. You could consider background checks under these sections. Personally I would collaborate with HR and have HR own this policy because there are broader implications organizationally beyond HIPAA.

    Privacy Rule:  
    §164.530 Administrative requirements.
    (c) (1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information

    Security Rule: §164.308 Administrative safeguards.

    (a) A covered entity or business associate must, in accordance with §164.306:

    (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

    (ii) Implementation specifications:

    (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

    (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

    (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

    (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.



    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Background check policy

    Posted 09-17-2020 04:33 PM
    Brenda,
    Thank you so much for your response!  We have a quasi HR department (meaning our finance guy who handles payroll), so it'll be on me to develop the policy, but I will definitely seek for input from the executive team on it.  A recent third-party assessment of us suggested a lack of "proper personnel screening controls" and recommended the corrective action be to do background checks. We have our methods for screening, but it's not a full background check.  It's a good idea, but I wanted to make sure it wasn't something that was required by HIPAA before addressing their concerns with something other than background checks (if that's the direction the executive team wants to go).  I may recommend we do background checks as a standard rule.   Thanks again for your reply and expertise!

    ------------------------------
    Jana Rasmussen
    Compliance Manager
    LUMEA, Inc
    Lehi,UT
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Background check policy

    Posted 09-17-2020 08:32 AM
      |   view attached
    Brenda is right HIPAA does not speak to background checks, but is obviously very important for healthcare as it relates to compliance and verification the individual has not been excluded in addition to criminal and civil acts. I have attached our draft background check policy as I am in the midst of revising for pharmacy accreditation. I would review of the HIPAA privacy and security rules. There is a document on here that breaks these rules down with what is addressable and what is required. I will see if I can find it but I bet someone will respond with it. You would want to make sure you have adminstrative safeguards such as policies in place, physical safeguards (e.g. privacy screens on computers, alarm systems, locked cabinets that may have PHI, identification badges, privacy glass, etc.) and technical safeguards (e.g. passcodes for logins to anything accessing PHI, encryption (addressable but you have to have something equivalent if not in place), firewalls, monitoring cyber security threats, backups, network scanning, etc.) These are not all required but ways that you can ensure the security of  ePHI and PHI. Your go to will be the privacy and security rules which lays out exactly what adminstrative, physical, and technical safeguards are required to be in place.

    https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html


    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    Attachment(s)

    19th Annual CEI Virtual Conference


  • 5.  RE: Background check policy

    Posted 09-17-2020 09:13 AM
    Hard agree here with Savannah.

    Having gone through an exclusion-list  self-disclosure when our internal HR process on updating our employee list for exclusion screening broke down briefly, I can assure you the feds wanted to know about our process for running background checks on all hires.

    It may not be a HIPAA requirement, though I agree that it is a good risk-mitigation approach, but it certainly is something Compliance should make sure is being done (by HR) for all new hires.

    ------------------------------
    Scott Intner
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: Background check policy

    Posted 09-17-2020 09:18 AM
      |   view attached

    Here is our background check policy. I can assure you that the state asked about this on our survey last year.

     

    Thank you,

    Sharon Taylor, RN, MS, CIC, CPHRM, CHC, CHPC        

    Director Risk Management/ Accreditation Services

    Burgess Health Center

    1600 Diamond Street

    Onawa, IA 51040

    Tel: 712-423-9248

    Fax: 712-423-9322

    E-mail: staylor@burgesshc.org

    Website: www.burgesshc.org

     

     

    image017.jpg@01CD7F97.28704CD0

     

    Quality Care You Can Believe In

    Electronic Mail Confidentiality Notice:

    This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents.

     

     




    Attachment(s)

    pdf
    PVEDownloadFile.aspx.pdf   119K 1 version
    19th Annual CEI Virtual Conference


  • 7.  RE: Background check policy

    Posted 09-17-2020 04:40 PM
    Thank you for that insight and for sharing your policy, Sharon. I appreciate the information and seeing examples of what a policy might look like are helpful as we craft our own.

    ------------------------------
    Jana Rasmussen
    Compliance Manager
    LUMEA, Inc
    Lehi,UT
    ------------------------------

    19th Annual CEI Virtual Conference


  • 8.  RE: Background check policy

    Posted 09-17-2020 04:39 PM
    Thank you for that confirmation and additional information, Scott.  Since we are a business associate and not a covered entity, we don't need to do exclusion checks (correct?) but it is interesting to know that background checks may be considered standard practice when being investigated.
    Thanks again for the information and your expertise, Scott.

    ------------------------------
    Jana Rasmussen
    Compliance Manager
    LUMEA, Inc
    Lehi,UT
    ------------------------------

    19th Annual CEI Virtual Conference


  • 9.  RE: Background check policy

    Posted 09-19-2020 09:48 AM
    I agree with what Savannah and Scott have stated but I think there is a slightly different way to look at it. And effective compliance program has background checks as a key element. Your privacy program is a compliance program whether it is part of the compliance office or not. So, IMHO, the privacy compliance program would be structured under the seven elements and thus required background checks to be effective. It also ties to appropriate safeguards as required by the regulations as others have addressed. Marti

    ------------------------------
    Marti Arvin, JD, CHC-F, CCEP-F, CHRC, CHPC
    Executive Advisor
    CynergisTek, Inc.
    Marti.arvin@cynergistek.com
    615-540-8071
    ------------------------------

    19th Annual CEI Virtual Conference


  • 10.  RE: Background check policy

    Posted 09-17-2020 04:37 PM
    Savannah,
    Thank you for your response and the sample policy/procedure for your company.  That is helpful to see.  I agree, HIPAA isn't explicit about it, but a recent third-party assessment felt we had a lack of "proper personnel screening" and recommended background checks as the corrective action.  Before we go down that path, I wanted to make sure it wasn't a requirement somewhere in HIPAA that I wasn't seeing (I've read through and studied both privacy and security rules, but am definitely still learning!).  We are re-doing our policies related to HIPAA so now is a good time to add in a background check policy if that's how we want to correct/address the perceived issue.

    Again, I appreciate your help and expertise!

    ------------------------------
    Jana Rasmussen
    Compliance Manager
    LUMEA, Inc
    Lehi,UT
    ------------------------------

    19th Annual CEI Virtual Conference


  • 11.  RE: Background check policy

    Posted 09-17-2020 08:54 AM
    Though not required...good applicability under the Privacy and Security rules with respect to the identification of the designated individuals as described in the regs.



    Posted: 5:49 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 12.  RE: Background check policy

    Posted 09-17-2020 04:42 PM
    I agree, Frank!  It's a good idea.  We haven't had it be standard practice, but that doesn't mean it shouldn't become such.  Are there other ways, besides criminal background checks to screen personnel that would also meet the criteria for HIPAA?  We already restrict access based on role, but perhaps that isn't enough. Thanks again for your input.

    ------------------------------
    Jana Rasmussen
    Compliance Manager
    LUMEA, Inc
    Lehi,UT
    ------------------------------

    19th Annual CEI Virtual Conference


  • 13.  RE: Background check policy

    Posted 09-19-2020 10:35 AM
    Also...as some folks are pointing out...and I'm guessing folks who also do their 17 subs listings every day...this has some relativity to the NESI sub element.

    So here we have a practical application of the subs we list each day!



    Posted: Saturday

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC
    Mandi Quigley - September - CHPC
    ------------------------------

    19th Annual CEI Virtual Conference