hipaa data security

Over 16 years ago, the Health Insurance Portability and Accountability Act (HIPAA) enacted provisions to protect health care data privacy and security and there have been other regulations and guidelines passed since then.

So, it may come as a surprise that a recent 2012 Kroll Advisory Solutions Report on the health care industry shared that increased compliance standards regarding data security hasn’t necessarily increased the safekeeping of protected information.

In the Kroll Report, 79 percent of survey respondents reported that a security breach was perpetrated by an employee and 18 percent of respondents that experienced a breach in the past 12 months cited third-parties as the root cause.

Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS) stated in the press release on the Report that “Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”

What types of background checks should organizations consider performing on employees and contingent workers (e.g., vendors, contractors, consultants, temporary workers, and volunteers) to mitigate the risk of an individual either intentionally or unintentionally perpetrating a data breach?

Here are five background checks that you might want to consider adding to your current screening program:

  1. Identity Verification
    Validating the identity of an individual is an important component of a background screening program. An individual may provide an invalid social security number or government identification card to hide a criminal history, bad credit, or even illegal immigration status.

    You can check a person’s Social Security Number (SSN) in the United States by performing SSN Validation. SSN Validation helps to identify an invalid SSN using an information and number assignment methodology from the Social Security Administration (SSA). SSN Validation can be done on any SSN issued before June 25, 2011, and identifies the year and state of issuance and checks the SSA Death Index to help detect anomalies.

    If the individual lives outside the United States, you may be able to authenticate an applicant’s identity information by checking the government issued identification number provided by the applicant against the name associated with that number to determine if it matches the individual’s name.

  2. Criminal History Check
    The last thing you want to do is to hire someone who would be likely to intentionally commit a data breach. A criminal history check reviews potential negative criminal history on individuals that may prevent them from working in certain health care positions.

    This check performs a search of federal or state courts, as applicable, in the U.S. that typically contain misdemeanor and felony offenses to identify records relating to an applicant.

  3. Health Care Sanction Check and Monitoring
    When patient information falls into the hands of a third-party worker with medical sanctions, a health care company may face serious and expensive consequences. Organizations should confirm if an individual has been sanctioned or excluded from participating in federal and state health care programs or the organization may lose the ability to participate in those programs and face fines and other penalties.

    A best practice is a health care sanction check searches the Fraud and Abuse Control Information System (FACIS®), a current and historical database of sanctions, exclusions, debarments and disciplinary actions, for information about an individual. And, performing a health care sanction check on an ongoing basis is required in certain states and a best practice in others.

  4. Adult Abuse Registry Check
    Seniors and adults with disabilities are considered vulnerable populations, which makes them susceptible to physical and verbal abuse, neglect, and exploitation. Hiring an employee with a history of committing adult abuse may endanger patients.

    Some states maintain an adult abuse registry, and prior to hiring an individual, health care organizations can search the state’s adult abuse registry to determine if a caregiver has been placed on a registry for abuse, neglect, exploitation, or misappropriation of a vulnerable adult.Failure by a health care employer to search an adult abuse registry when required may result in civil or criminal charges.

    An adult abuse registry check screens applicable state registries for any records of an applicant who has been identified by state adult protective services to have committed adult abuse.

  5. Extended Worker Background Check
    Contingent or extended workers include third-party vendors, contractors, consultants, temporary workers, and even volunteers. When an individual has the same access to patients and patient data as employees, it only makes sense for a health care organization to extend its background screening programto its extended workforce.

    Even though it can seem simpler and less costly to rely on a third-party vendor’s word about its own employee background screens, the background information may not be current and the screening package may not be as thorough as the ones that health care organizations use.

    If you do rely on the vendor, trust but verify that the checks were performed. In the Kroll Report less than half of respondents (44%) don’t require proof of employee background checks from their vendors – which could pose a security gap.

Free Report: Best Practices of Background Screening in the Health Care Industry
Free background screening report
Learn additional employment background screening best practices for health care by downloading:

Best Practices: Background Screening in the Health Care Industry

Download Now

Comments

comments

The HireRight Blog is provided for informational purposes only. It is not intended to be comprehensive, and is not a substitute for and should not be construed as legal advice. HireRight does not warrant any statements in the HireRight Blog. Any statutes or laws cited herein should be read in their entirety. You should direct to your own experienced legal counsel questions involving your organization's compliance with or interpretation or application of laws or regulations and any additional legal requirements that may apply.

Comments are closed.