Do You Need Employee Background Checks to Be HIPAA Compliant?

Short answer: HIPAA does not explicitly require employee background checks. However, HIPAA’s risk-based framework expects you to control access to Electronic Protected Health Information (ePHI) and to clear your workforce appropriately. Background screening is therefore a widely adopted best practice to satisfy those obligations and to meet other federal and state requirements that may apply to your organization.

To stay compliant and reduce risk, you should align screening with role-based access to ePHI, verify federal healthcare program eligibility, follow state Healthcare Background Mandates, and ensure Fair Credit Reporting Act Compliance when using third-party reports.

HIPAA Security Rule Requirements

The HIPAA Security Rule requires administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of ePHI. It does not prescribe specific tools like “background checks,” but it does require documented policies and procedures that limit access to authorized individuals.

Because the Security Rule is risk-based, you determine which controls are “reasonable and appropriate” for your environment. For many covered entities and business associates, role-appropriate background screening helps demonstrate that only trustworthy, properly cleared personnel can touch systems containing Electronic Protected Health Information.

Workforce Security Standard

HIPAA’s Workforce Security Standard directs you to ensure workforce members have appropriate access to ePHI—and to prevent access by those who should not. Practically, this involves authorization and/or supervision, workforce clearance procedures, and termination procedures tied to role-based access.

A well-designed clearance procedure defines the screening depth per job function. For example, personnel with privileged system access or clinical staff who regularly handle ePHI typically warrant more rigorous checks than staff with no system access. Clear criteria, consistent application, and documentation show that your access decisions are deliberate and risk-informed.

Background Checks as Best Practice

While not mandated by HIPAA, background checks support your Workforce Security Standard by validating identity, trustworthiness, and suitability for roles with ePHI exposure. They also help you meet payer and state expectations and reduce insider threat risk.

Typical components for healthcare roles

• Identity and SSN trace to confirm the candidate you’re screening.
• Criminal History Checks tailored to the position’s risk and your State Healthcare Background Mandates.
• Professional license and certification verification, plus sanctions or disciplinary history where applicable.
• Employment and education verification for roles requiring specific experience or credentials.
• Drug screening or immunization verification when job-related and permitted by law.

Keep the scope job-related and consistent with business necessity. Overly broad checks can create legal risk without improving security. Pair screening with access controls, training, and monitoring for a layered defense.

Federal Healthcare Program Screening

If you bill federal healthcare programs, you must ensure you do not employ or contract with excluded individuals or entities in roles tied to federal program items or services. Screening the HHS-OIG List of Excluded Individuals and Entities before hire and at regular intervals helps prevent prohibited billing and potential penalties.

OIG exclusion screening is separate from HIPAA but complements your clearance process. Many organizations integrate LEIE checks into onboarding and automate periodic rescreening to quickly detect changes in eligibility.

Consider expanding sanction checks to relevant licensure boards or other program integrity sources appropriate to your payer mix and workforce composition.

State Regulations on Background Checks

States may impose specific healthcare screening mandates—often fingerprint-based—for facilities such as hospitals, long‑term care, home health, and behavioral health. These laws can dictate which Criminal History Checks are required, lookback periods, disqualifying offenses, appeal processes, and rescreening intervals.

Because State Healthcare Background Mandates vary, map statutory requirements by role and location, and align them with your HIPAA clearance procedures. Where state and federal rules overlap, follow the most stringent applicable standard.

Conducting Risk Assessments

Your HIPAA Risk Assessment Process should evaluate how people, processes, and technology could expose ePHI. Use the results to determine which roles require screening, how deep to screen, and how often to rescreen, then document your rationale.

A practical risk-based screening framework

• Basic access (no ePHI/system access): identity verification; limited checks consistent with job duties.
• Elevated access (regular ePHI handling or system access): identity, Criminal History Checks, license/sanction verification, employment/education as applicable; exclusion screening if you participate in federal programs.
• High-trust access (privileged IT admins, revenue cycle leaders, controlled-substance handlers): all of the above plus enhanced checks proportionate to the risk profile and regulatory mandates.

Reassess at least annually and upon major changes (new systems, mergers, or role redesign). Include contractors and volunteers with ePHI access, and verify that vendors with access have comparable controls.

Legal Compliance for Background Checks

When using a background screening company, ensure Fair Credit Reporting Act Compliance: provide a clear, stand‑alone disclosure; obtain written authorization; and follow pre‑adverse and adverse action procedures if information in a report could negatively affect employment. Allow candidates an opportunity to dispute inaccuracies, and document your decisions.

Apply Equal Employment Opportunity principles and any state or local fair‑chance laws. Make decisions based on job-relatedness and business necessity, consider the nature and gravity of offenses, the time elapsed, and the relevance to the role, and conduct individualized assessments where required.

Protect privacy by limiting data collection to what is necessary, securing reports, and disposing of them properly. Align retention with your recordkeeping policies and any statutory obligations, and ensure access to screening data is restricted just like access to ePHI.

Conclusion

HIPAA doesn’t mandate background checks, but it does require you to clear and control your workforce. Risk-based screening, federal healthcare program exclusion checks, and adherence to state mandates and FCRA create a defensible, compliant approach that protects ePHI and your organization.

FAQs

Are background checks explicitly required by HIPAA?

No. HIPAA does not expressly require background checks. It requires you to implement workforce clearance and access controls so only authorized individuals can access ePHI. Background screening is a common, risk-based way to meet that obligation.

What federal program screenings are mandatory before hiring?

Organizations that bill federal healthcare programs must ensure they do not employ or contract with excluded individuals or entities for federally reimbursable services. Screening the HHS-OIG List of Excluded Individuals and Entities pre‑hire and periodically thereafter addresses this requirement.

How do state laws affect healthcare background checks?

Many states impose specific healthcare background screening rules—often including fingerprint-based Criminal History Checks, defined lookback periods, and disqualifying offenses. Your program must meet these State Healthcare Background Mandates in addition to HIPAA’s workforce security expectations.