Background Check Checklist for HIPAA Compliance: Covered Entities and Business Associates

Use this background check checklist for HIPAA compliance to vet employees, volunteers, contractors, and vendors who may access electronic protected health information (ePHI). It aligns hiring and onboarding with risk-based controls so covered entities and business associates can protect patient data and demonstrate due diligence.

HIPAA Security Rule Workforce Security Standard

The Workforce Security standard requires you to ensure that only authorized workforce members have access to ePHI and that access ends promptly when no longer needed. Translate this into clear job roles, minimum access rules, and supervision for staff in training or high-risk positions.

Implement three pillars: authorization and supervision for new or reassigned staff, workforce clearance appropriate to role risk, and rapid termination procedures. Tie each role to specific systems and datasets to uphold Privacy Rule safeguarding and the minimum necessary standard.

Workforce Clearance Procedures

Define workforce clearance procedures that scale with role risk. Clinical staff handling ePHI, billing teams, IT administrators, and remote workers require deeper checks than roles with no system access.

Core steps

• Pre-screen planning: map roles to risk, define adjudication criteria, and prepare compliant disclosures and authorizations.
• Identity verification: confirm legal name, SSN/ITIN, and address history before any record searches.
• Credential validation: verify education, training, and current licensure directly with primary sources where applicable.
• Background investigation: order job-relevant checks and document results with audit logs documentation.
• Adjudication and access: apply consistent, job-related criteria; grant least-privileged access to ePHI only after clearance.
• Rechecks: rescreen on a set cadence or when job duties or risk levels change.

Types of Background Checks

Choose checks that are job-related and consistent with business necessity. Use standardized adjudication guidelines and document rationale for each decision.

• Identity and SSN trace to surface alias names and prior jurisdictions.
• Criminal history searches (county, state, federal) with jurisdiction-level verification for any hits.
• Sex offender and sanctions searches, plus healthcare-specific exclusions such as the List of Excluded Individuals/Entities (LEIE).
• Employment and education verification to confirm tenure, titles, and degrees.
• Professional license and certification verification with status and disciplinary history.
• Motor vehicle records for roles that drive patients, samples, or equipment.
• Credit reports only for fiduciary roles or those with access to funds or financial systems, where permitted.
• Drug testing where allowed by law and policy, with clear-cut procedures for legitimate prescriptions.
• Civil records (e.g., relevant fraud or malpractice judgments) when job-related.
• International screens for candidates who lived or worked abroad, aligned to local laws.

LEIE Screening

Screen all workforce members and applicable vendors against the List of Excluded Individuals/Entities (LEIE) before start and at least monthly. Excluded individuals cannot participate in federal healthcare programs, and employing them risks repayments, penalties, and reputational harm.

Operational best practices

• Define the population: employees, medical staff, temps, owners, contractors, and volunteers tied to patient care or billing.
• Run exact-name and alias searches; resolve potential matches with additional identifiers.
• Record each check with date, data source, search terms, match/no-match result, and reviewer sign-off.
• Integrate continuous monitoring where feasible and document remediation steps for any positive match.

Compliance with Federal and State Laws

Background checks intersect with several legal regimes. Build your program to satisfy these while honoring HIPAA’s Privacy Rule safeguarding and minimum necessary practices.

• FCRA: provide standalone disclosures, obtain written authorization, and follow pre-adverse and adverse action steps with required notices and waiting periods.
• EEOC guidance: use individualized assessments; ensure findings are job-related and consistent with business necessity; avoid blanket exclusions.
• Ban-the-box and fair-chance laws: sequence checks after conditional offers and respect local timing and notice requirements.
• Credit, salary history, marijuana, and biometric/fingerprint rules: confirm state and city restrictions before ordering or using results.
• Data privacy and retention: collect only what you need, store securely, limit access, and dispose of records per policy; maintain audit logs documentation for regulatory readiness.

Business Associate Agreements and Subcontractor Compliance

When a screening vendor or HR platform can access ePHI, execute Business Associate Agreements (BAAs). The BAA should require safeguards, breach notification, permitted uses, return or destruction of ePHI, and a commitment to workforce clearance procedures.

Flow these obligations to subcontractor agreements so every downstream entity with potential ePHI exposure meets equivalent standards. Require vendors to screen their own staff, perform LEIE checks, train on HIPAA, and provide evidence of controls upon request.

Documentation and Remediation Practices

Maintain a written policy, role-risk matrix, and a step-by-step checklist from disclosure through adjudication. Keep centralized records of decisions, access grants, LEIE results, and adverse action communications with audit logs documentation.

When results raise concerns, apply a structured remediation path: confirm identity and accuracy, obtain context from the individual, conduct an individualized assessment, and choose outcomes such as conditional hire, added supervision, duty modification, delay pending license reinstatement, or disqualification when risks cannot be mitigated.

Schedule periodic rescreening for sensitive roles, major role changes, or following policy-triggering events. Review metrics quarterly to close gaps and update procedures as laws and risks evolve while minimizing retention of ePHI.

Summary

A resilient program ties role-based risk to workforce clearance procedures, validates credentials, screens against the LEIE, and documents every step. BAAs and subcontractor agreements extend protections to vendors, while careful legal compliance and Privacy Rule safeguarding keep checks lawful and proportionate. Strong records and thoughtful remediation prove diligence and help you protect ePHI over time.

FAQs

Are background checks mandatory under HIPAA?

HIPAA does not list specific background checks, but the Security Rule requires workforce clearance procedures and proper authorization before granting ePHI access. Most organizations implement background checks to meet this standard and demonstrate reasonable, risk-based safeguards.

What types of background checks are recommended for HIPAA compliance?

Common, risk-based components include identity and SSN trace, county/state/federal criminal searches, LEIE screening, employment and education verification, professional license checks, and—when job-related—motor vehicle records, drug testing, credit reports, or civil searches. Depth increases with access to ePHI, financial systems, or patient interaction.

How do Business Associate Agreements affect background check requirements?

Business Associate Agreements (BAAs) obligate vendors that may handle ePHI to safeguard it, which typically includes workforce clearance procedures, LEIE screening, HIPAA training, access controls, and prompt breach reporting. Subcontractor agreements must flow down equivalent requirements.

What laws regulate HIPAA-related employee background checks?

Key frameworks include the Fair Credit Reporting Act (FCRA), EEOC guidance on use of criminal records, and state or local laws such as ban-the-box, credit check limits, marijuana testing rules, and data privacy requirements. Your program should incorporate these alongside HIPAA’s Privacy Rule safeguarding and minimum necessary principles.