As a healthcare provider, do you conduct a pre-employment background check on all potential new hires? Do you routinely conduct periodic background checks for the current workforce? If the answer to either of these questions is “no,” you may want to reconsider and implement a policy.
There is a growing concern in the healthcare sector regarding insider threats. Being HIPAA compliant puts the necessary administrative, technical and physical safeguards in place. But most of these safeguards address how to ensure systems and the workforce properly manage risk. Even with the minimum necessary requirement of the HIPAA Privacy Rule, think about those in your practice who have access to protected health information, especially paper charts and records. Access to paper records, notes and charts poses a greater risk for a breach than electronic health records because, with paper records, there is the lack of an IT-based audit trail.
In May, Becker’s Health IT & CIO Review reported that during a 14 day period, there were six insider threat cases the public was made aware of. In one case, a nurse at Albany (N.Y.) Medical Center was arrested at the hospital and charged with stealing patient information. In another case, an employee who processed billing for Baylor All Saints Medical Center in Fort Worth, Texas, may have stolen patient information over a seven month period. There was no information provided in either case indicating that background checks were conducted on these employees and if there was, how thorough the checks were.
When the Ponemon Institute released its Fourth Annual Benchmark Study on Patient Privacy & Data Security last March, a significant finding stood out. According to the report, “Employee negligence is considered the biggest security risk” when it comes to safeguarding health data. The report went to say, “75 percent of organizations (surveyed) say employee negligence is their biggest worry.”
There appears to be a failure to exercise reasonable care when it comes to safeguarding protected health information, whether a compromise of records is intentional or unintentional. Background checks won’t help prevent human error and circumstances where the breach was unintentional. Better security awareness training can address that issue.
But when the circumstances are intentional and an employee is to blame, you will need to look at the employee and hiring practices. As a hiring manager who has an employee arrested for theft, there is no worse feeling than when the police inform you about a prior criminal record that employee had. However, pre-employment background checks may not help if the employee has no criminal record and just goes rogue for financial gain. This is why I recommend a policy to conduct background checks on a regular basis for all employees, not just new hires. You may want to include a credit check as part of your background check policy.
Stacy Skinner is the President of SCS Health and Security Associates, a company that offers background checks as part of their portfolio of services. According to Skinner, “Conducting background checks for all applicants is a great idea because you want to reduce the risk of a negligent hire. Every time an employer hires an employee, they take a risk and by conducting a background check, it helps to mitigated risk. It comes down to protecting sensitive information, patient confidentiality, patient safety, safety of the staff, and that of the business. Know more about who you are hiring. It can make a difference.”
Here are 5 suggestions for implementing or modifying an existing background check policy.
- Be consistent with a background check policy. That is a must. Background checks must be conducted for the entire workforce, including contract and temporary employees. Consider using a tiered approach that is dependent on the position to be filled. For example, a doctor would warrant a more comprehensive check than a receptionist.
- Always check the U.S. Department of Health and Human Services, Office of Inspector General Excluded Individuals/Entities List (LEIE). The LEIE is an excellent way to see if an employee has previous sanctions preventing him/her from working in the healthcare sector.
- Consider conducting periodic background checks for those workforce members who have been on-board for a while. Rescreening workforce members can help to make sure an employee does not slip through the cracks by not notifying management of any recent criminal convictions.
- Drug screening - if a program is not in place, consider implementing one. The screening would be applicable to job applicants along with the current workforce.
- Consider contracting with a reputable investigations company that specializes in background checks. Leave this job to the professionals who know how to conduct background checks. Trying to obtain criminal background checks on your own can vary from state-to-state and be a time consuming process in some cases.
Before implementing or updating a policy regarding background checks, credit checks and drug testing, it is always prudent to seek advice of legal counsel. For more information about background checks, visit the U.S. Equal Employment Opportunity Commission website.
Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations. Now working as a consultant, Jay’s company provides assistance with HIPAA compliance for healthcare providers and business associates.