One of the least understood and most ignored requirements in HIPAA is called “Workforce Clearance” (WC). This “addressable” requirement is part of the Security Rule’s Administrative Safeguards, and appears at 164.308(a)(3).

“Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”

A Danger and an Opportunity

Hidden in these few words is one of the greatest dangers – and opportunities – for both Covered Entities and Business Associates. The danger and the opportunity both derive from the fact that many data breaches and thefts of PHI are perpetrated by insiders.

• Insiders at Tenet were recently charged with theft and HIPAA violations.
• A Johns Hopkins employee who worked in the hospital’s patient registration area was recently charged with fraud after stealing patient files.
• Kaiser Permanente’s Bellflower Hospital was recently fined $250,000 because employees were snooping into an octuplet mom’s (“Octomom”) medical records.

The danger to CEs is that some trusted insider will be tempted to steal, sell, or hold Protected Health Information (PHI) hostage for personal gain. The opportunity is the chance to avoid HIPAA violations and bad publicity by making sure the people inside your entity are trustworthy and responsible.

“Workforce Clearance” Really Means “Background Checks”

In truth, many of these incidents might have been prevented if the entities involved had followed HIPAA’s “Workforce Clearance” requirement more strictly. The essence of Workforce Clearance is really background screening of employees, often referred to as “background checks.”

While many entities do perform some background screening for new hires, many entities do only a cursory check, and often with the lowest bidder. Unfortunately, this is a recipe for disaster.

People with Problems are More Prone to Crime

The simple fact is, people with criminal backgrounds and those with huge amounts of debt are more often involved in PHI thefts and breaches than those without such problems. And well-done background checks frequently identify high-risk individuals.

Background Screening – Rule of Thumb

A general rule of thumb is that the positions that carry the greatest responsibility should have the most intensive background checks. Positions such as IT Director, Senior Admin, Security Director, Medical Records Director and Manager should all have thorough background screening performed for applicants before they are hired. Some HIPAA entities are also re-screening workers in key positions periodically, to discover potential people problems in advance.

Background screenings for critical positions should include:

• Confirmation of previous employment history.
• Multi-state, or nationwide criminal background checks.
• Credit history reports.
• Driving history and violation reports.

Don’t Cut Costs on Workforce Clearance

While many CEs and BAs try to rein in costs by cutting back on background screening, the smartest entities are stepping up their use of background checks. They are moving to comply with HIPAA’s addressable “Workforce Clearance” requirement. They are also being smart, by reducing the risk from another “reasonably anticipated” threat to the PHI they are entrusted with.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.