Disclaimer: The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.
PrivaGuide: Personnel Clearance Procedures
By David Forbes
The final security rule clarifies that workforce “clearance” procedures are an addressable HIPAA security specification. This guide therefore interprets this and the logic of established practice in the field of background screening for positions where mandatory controls and regulatory penalties exist.
Although the HIPAA provisions are regulatory and do not directly address civil liability issues, the additional danger from proven non-compliance by implication is that of having to defend privately initiated civil litigation. Mitigation of risk in all respects involves management, training and technical measures. Chronologically this begins with the process whereby appropriate care must be taken to ensure that employees and contractors having access to protected health information (PHI) are screened prior to being permitted access. The objective is to substantially reduce the foreseeable risk that a person whose personal integrity is questionable may compromise compliance.
Dimensions that will dictate screening depth and cost:
- The design and the comprehensive completion of your employment or contractor employee application form. In many instances, existing pre-HIPAA application forms will require redesign.
- (This includes questions that you are lawfully able to ask, and questions that you must absolutely ask.)
- The accuracy of written statements made by each applicant and the ease with which you can validate them.
- The number of different counties where the applicant has been resident in the past seven years.
- Gaps in the employment and/or residential history of the applicant.
- Consideration of the appointment of a foreign national or any person who has been resident overseas during the past seven years.
Examples of exposure, potentially significant if disclosed during a regulatory audit or in consequence of complaint investigation:
- Very poor quality of pre-employment screening including application form and process.
- Incomplete or inadequate information furnished by applicant(s) and unresolved by the HIPAA-regulated employer.
- False information provided by applicant and negligently overlooked by the employer.
- Employer has appointed applicant and allowed access to PHI but has apparently failed to satisfactorily validate accuracy and integrity of written application to a significant degree.
- Applicant was appointed and has felony convictions; or lesser convictions for acts of dishonesty or use of prohibited drugs.
- Employer failed to keep accurate, complete and retrievable records of the pre-employment/contract employee screening process.
- Proper personnel clearance procedures can reduce legal liability.
There is no “private right of action” under HIPAA. This means that HIPAA does not allow private individuals to sue covered entities that fail to protect PHI. HIPAA does, however, establish a standard that can be cited as a “duty” under state law tort provisions.
In general, a plaintiff proves a tort (injury) by showing that:
- The defendant had a duty.
- The defendant failed to perform the duty.
- The plaintiff suffered some form of harm.
- The defendant’s failure to perform the duty caused the harm.
Methodologies and Sources for Background Screening
With the aid of electronic database access, cost efficiencies can be achieved when carrying out background checks on applicants. Screening may be conducted in-house and in organizations with several hundreds or more employees, this may prove marginally cost efficient compared with outsourcing the task to a contract company. The decision of whether or not to conduct the entire screening process internally is usually driven by other considerations, perhaps as fundamental as the personal preference of the Human Resources Director.
Internet online screening services have increased in number in recent times, and are suited to a limited range of circumstances. There is a temptation to determine the method for screening based on price alone. For the purpose of dependability however, the employer should recognize that quality, albeit reflected in comparatively greater expenditure, is the safety net for defending against the exposures discussed above.
The employer should also understand that the numbers of applications that prove more complex to process influence the average unit cost of background screening. The range of cost to the screener is variable and if an unrealistic fixed price is agreed, there will be a temptation to shortcut, with the risk of invisible and perhaps consequential gaps in the system. For example, telephone calls to declared former employers often consume exorbitant amounts of time and cost such as for long distance calls, chasers and faxes. Other cautionary notes:
- As the regulated HIPAA employer or contracting party, you must be in a position to prove the veracity and effectiveness of your screening process.
- Your recruitment advertising and interview processes should anticipate the screening requirement, with notice to applicants and signed completion of release forms authorizing screening inquiries. (Occasionally an applicant may consume your valuable time, only to withdraw due to fear of some discovery in the screening process. An advisory statement of recruitment policy is desirable.)
- Some outsource companies researched by the author make false claims about their ability to gather certain information, in particular with regard to the history of foreign nationals; and some exaggerate the speed of processing your request.
- The system or process is yours; the background-screening contractor will not usually share any liability.
- Regardless of your choice of method, in-house or outsource, training of your own trusted staff so that you have a good understanding of the implications, is essential.
- Don’t underestimate the time that individual checks will take and the impact that may have on your staffing needs. Some may take several weeks.
“Build” or “buy?”
Online databases are available for you to use in conducting background checks of prospective employees, or current employees who are about to be promoted to positions of trust. Some of these databases allow free access, but most are commercial operations.
You can find a list of online resources by searching for terms such as “pre-employment screening” in any of the popular World Wide Web search engines.
In making your decision on whether to conduct your own background investigations or to use the services of a company that specializes in this type of work, you should consider:
Cost – A firm that specializes in performing background checks may have negotiated cheaper access to online data and be able to pass these savings on to you.
Time – One of your own employees may take considerably longer to accomplish this task due to unfamiliarity with basic investigative procedures.
Morale – Employees may have the perception that investigations done by a disinterested third party are more “fair” than those carried out by people involved in the day-to-day business.
Note: This is set out for HIPAA purposes only. It is possible that other considerations such as the status and responsibility of the position to be filled will justify additional screening activity. For example, if the employee will be required to drive, regularly or occasionally, a Driver Motor Vehicle (DMV) check will be important.
- Obtain a detailed history through completion of the application form, to be written by the applicant within the purview of a member of your organization. Forms should not be accepted for processing if they have been completed elsewhere such as in the applicant’s home.
- Have the applicant read and sign the inquiry release form in front of a company witness who may also counter sign.
- Review the application form and clarify ambiguity or uncertainty of content as necessary before the applicant departs.
- Independently verify that the Social Security number stated is officially recorded as that of the applicant.
- Contact employers from the prior seven years to confirm accuracy of employment statements. (Previous employers do not usually wish to confirm more than dates, position held and rate of compensation).
- Criminal background check, one per county of residence in the past seven years while applicant was aged 16 or above. Note that Federal checks are a separate item and are usually justified by special circumstances.
- Education check – this is optional but may become material if a person is appointed to a PHI access position based upon qualifications that are later found to be false.
- Credit check – this is not an absolute requirement in every case. It is often applied where the position involves responsibility for financial transactions but it is also a partial safeguard against recruitment of someone with extreme financial difficulties and pressures. This type of check is governed by the Fair Credit Reporting Act (FCRA), which imposes certain legal requirements on the inquirer, the screener and the record keeper.
Think about “pre-screening.”
You don’t want your background screening process to be a bottleneck in the event that you have to replace an employee on very short notice.
Consider retaining a trusted non-employee – willing to be called upon in an emergency – already fully screened for compliance, as your backup. This may prove to be a good investment for a small practice in the event of accidents, sickness and unexpected departures.
Estimating The Cost of Doing it Right
Apart from the existing operational cost of employing say a staff member in the HR department to conduct the process; what might the cost be to have an outside contractor complete the database and telephone inquiries? The answer is that it does depend on a case-by-case experience.
At the lower end – an application involving contact with three previous employers, social security number verification, a one county criminal check and the generation of a file to be held on record for the employer, would incur (approximately) a sum just over $100.
For a variety of very sound reasons founded on the principle of securing a return on investment, a more complex and comprehensive exercise might be justified, resulting in a cost of $500. This is often the case for professional classes, as a position of responsibility is reflected in the due care taken in the selection process. Government and military related work commonly necessitates a higher standard of scrutiny and in such cases it will be government authorized parties who will conduct that work.
Some additional advice
- If you have existing employees who will have access to PHI and have not been screened in this way on your behalf during the past two years it would be wise to include them as you move toward HIPAA compliance.
- An employee or previously screened employee of a contractor should be re-screened for criminal record purposes every twelve months; or sooner if you have substantial grounds to believe that his or her criminal record status has adversely changed, subject to the following advice.
- Employment law applicable within your state should be observed and practices blended so that your effort to comply with both does not create avoidable conflict. Your best source for advice in this regard is your employment law attorney.
- Maintain good screening records; self audit those records and annually arrange an independent audit.
About the Author:
David Forbes has over 30 years experience in law enforcement, commercial and industrial security-related risk management, and service sector business management. A former head of Thames Valley Police Fraud Squad, trained at New Scotland Yard he was raised and educated to university postgraduate level in England, and is the Co-Founder, past Chairman and current member of the Loughborough University Security Forum. He is also a member of the American Society for Industrial Security, the National Cargo Security Council, The National Legislative Services and Security Association and the Colorado Crime Prevention Association.
As global head of security for a major logistics organization, prior to becoming an independent consultant in 1993 he was responsible for the selection, training and leadership of a regional security management team covering 140 countries. His expertise includes the design and implementation of security programs that successfully combine manpower technology and business goal delivery. He has directed and supervised the introduction of security systems for corporate offices, computer suites, aviation facilities and logistics warehouses in several countries.
His numerous and varied executive consultant projects include advising government departments and private corporations on the successful and cost effective application of security principles incorporating technology within culturally supportive programs.
Media interviews have led to articles about his work being published in magazines and newspapers as far apart as the United Kingdom, Australia, Singapore and the United States. Television and radio entities featuring interviews with David Forbes include the BBC, CNN, FoxNews International, NBC, MSNBC, Channel 9News Denver, CBS Channel 4 Denver, Fox Channel 31 Denver, WB2 News Denver, Radio KHOW Denver, Radio Colorado (Sept 11 special, and Sept 17 Winning on Wall Street) Radio KYGO Denver, Radio KMOX St.Louis, Radio KSON San Diego and Radio KTSA San Antonio. News journalists, particularly from the Denver Post, the Denver Business Journal and the Rocky Mountain News as well as local TV stations continue to call upon him for comment, virtually on a weekly basis.