HIPAA and New York State: Background Check Requirements for Healthcare Employers

HIPAA Security Rule Compliance

HIPAA does not mandate employee background checks. However, the HIPAA Security Rule requires you to safeguard Electronic Protected Health Information through workforce security, access controls, and risk management. Many healthcare employers use background screening as an administrative safeguard to help ensure only trustworthy, authorized personnel can access ePHI.

Translate that requirement into clear policies. Define which roles require screening, what information you will collect, and how results inform job-related decisions. Limit collection to the minimum necessary, restrict access to Criminal History Record Check data, and store reports in secure systems separate from clinical records. Maintain audit logs, retention schedules, and disposal procedures for background data.

If a background file ever contains ePHI or sensitive identifiers, apply breach response and sanction procedures. When you use third‑party screeners, treat them as vendors with contractual privacy, security, and confidentiality commitments aligned to your HIPAA program.

Criminal History Record Checks

New York law requires many healthcare settings to complete Fingerprint-Based Background Checks. These Criminal History Record Checks typically use state and federal repositories and apply across programs regulated by agencies such as the Department of Health, the Office for People With Developmental Disabilities, the Office of Mental Health, the Office of Addiction Services and Supports, and the Office of Children and Family Services.

Who is commonly covered

• Direct-care and patient-facing roles, including aides, technicians, and support staff with resident or client contact.
• Nonclinical roles with routine access to facilities, medication rooms, or sensitive systems, as defined by program rule.
• Contractors and staffing-agency personnel placed inside licensed facilities, when program rules extend to them.

Process essentials

• Obtain written authorization, submit fingerprints through the authorized channel, and track each step to completion.
• Evaluate results using a job-related, individualized assessment consistent with New York’s Article 23‑A factors and any program-specific disqualifiers.
• Follow required notification steps if considering adverse action, share the report, and provide a reasonable opportunity for the candidate to respond.
• Understand work restrictions while results are pending; some programs allow supervised duties, others require full clearance before unsupervised contact.
• Re-screen only when permitted by law or regulation, and purge records under your retention schedule.

Staff Exclusion List Checks

The Staff Exclusion List is New York’s safeguard against placing individuals who have committed serious abuse or neglect in roles serving vulnerable persons. If your program falls under the Justice Center’s jurisdiction, you must check the Staff Exclusion List before hire (and periodically, if required) and you may not employ someone on the list in positions with regular and substantial contact with service recipients.

Build this check into your onboarding workflow, document the search result, and train hiring managers not to bypass the process. Treat a positive hit as disqualifying where the governing rules mandate it, and keep any supporting files confidential.

Statewide Central Register Database Checks

The Statewide Central Register is New York’s database of child abuse and maltreatment records. Many healthcare employers that place staff in roles with regular contact with children must complete Statewide Central Register database checks as a condition of hire. Requirements vary by program and role; pediatric units, clinics, home- and community-based services, and behavioral health programs that serve minors often fall within scope.

Obtain candidate consent, submit the request through the prescribed channel, and use the results only for the authorized suitability determination. Maintain confidentiality, give candidates a chance to explain relevant findings as your policy allows, and ensure decisions remain narrowly tailored to the duties of the job.

New York City Fair Chance Act Compliance

The Fair Chance Act governs when and how you may consider criminal history for roles in New York City. In most cases, you must remove criminal-history questions from applications, wait until after a conditional offer to run a background check, and use an individualized assessment before taking action.

Required sequence and notices

• Make a conditional offer first, unless a specific law requires earlier screening for the position.
• If you intend to withdraw the offer based on a record, provide a Fair Chance Act notice that explains your analysis, share the background report you relied on, and give the applicant the legally required time to respond.
• Exclude non-conviction information and sealed matters from consideration, and document your final decision-making process.

Regulated-role carve‑outs

Certain positions subject to statutory fingerprinting or categorical bars can follow different timing rules. Even when a carve‑out applies, keep your analysis job-related, maintain required notices, and record the specific legal basis for the exception.

Impact of New York Clean Slate Act

New York’s Clean Slate Act provides for automatic sealing of many eligible convictions after defined waiting periods once sentences are completed. For most employers, sealed convictions are off-limits: you may not ask candidates to disclose them, and consumer reporting agencies generally will not include sealed records in background reports.

What healthcare employers should expect

• Position-specific exceptions exist. Where a law requires fingerprint-based screening for employment or licensure, sealed records may remain accessible to the authorized agency for a suitability review. Use any sealed information only as the governing statute and regulations permit.
• Update your forms, disclosures, and interview scripts to state that applicants should not disclose sealed convictions. Build Clean Slate Act Notifications into your adverse action templates to confirm that only legally reportable information was considered.
• Coordinate Clean Slate and Fair Chance Act compliance: exclude sealed items from your analysis, complete the individualized assessment for any unsealed convictions, and preserve documentation.
• Refresh retention schedules so you do not keep older background files that include information that later becomes sealed, unless a law specifically requires retention.

Best Practices for Healthcare Employers

Map your regulatory footprint

• Identify every governing program (DOH, OPWDD, OMH, OASAS, OCFS) touching your sites, roles, and contractors, and list the exact checks each one requires.
• Create a position-to-requirement matrix that flags Criminal History Record Check, Staff Exclusion List, and Statewide Central Register obligations by role.

Standardize your Fingerprint-Based Background Checks

• Centralize fingerprint scheduling, track statuses, and escalate delays before start dates slip.
• Use a documented, Article 23‑A–aligned decision rubric that ties each factor to the job’s core duties and risks.

Integrate exclusion and registry checks

• Automate Staff Exclusion List queries before hire and at defined intervals if required.
• Trigger Statewide Central Register requests only for roles that meet the statutory criteria to avoid over-collection.

Sequence screening to fit the Fair Chance Act

• Run non-criminal screens (e.g., license verification, work history) pre-offer; conduct criminal checks post-offer unless a legal carve‑out applies.
• When you consider withdrawing an offer, issue the Fair Chance analysis and hold the role open for the prescribed response period.

Respect Clean Slate Act Notifications and limitations

• Revise applications to instruct candidates not to disclose sealed convictions.
• Train recruiters not to probe sealed matters and to document that only unsealed, legally reportable information was considered.

Safeguard background data like ePHI

• Apply HIPAA-style access controls, encryption, and audit logging to background reports and CHRI.
• Segment storage from clinical systems, limit viewer permissions, and purge on schedule.

Document, audit, and train

• Publish clear policies, keep checklists at the point of hire, and retain evidence of each step.
• Audit quarterly for timing, notice delivery, sealed-record handling, and decision consistency.

Conclusion

HIPAA drives how you protect information; New York law dictates what you must check. Align the two: complete required Criminal History Record Checks, Staff Exclusion List searches, and Statewide Central Register queries; follow New York City’s Fair Chance Act sequencing; and update processes for the Clean Slate Act. With documented workflows and strong data safeguards, you can hire compliantly and protect both patients and candidates.

FAQs

Are employee background checks mandatory under HIPAA in New York State?

No. HIPAA does not require background checks. In New York, screening obligations arise from state and local laws and program rules (for example, fingerprint-based Criminal History Record Checks, Staff Exclusion List searches, and Statewide Central Register queries) rather than from HIPAA. HIPAA’s role is to ensure you manage access to ePHI and keep any background data secure.

What specific background checks must New York healthcare employers conduct?

Requirements depend on your license, program, and role. Common mandates include Fingerprint-Based Background Checks via a Criminal History Record Check for many direct-care positions, Staff Exclusion List checks for programs serving vulnerable persons, and Statewide Central Register database checks for roles with regular contact with children. Most employers also verify professional licenses and screen federal and state exclusion lists when billing Medicaid.

How does the New York City Fair Chance Act affect background check procedures?

In NYC, you generally may not ask about criminal history until after a conditional offer. If you consider withdrawing the offer, you must provide a Fair Chance analysis, share the report, and give the candidate a meaningful chance to respond before making a final decision. Narrow exceptions apply where law requires earlier screening or imposes categorical bars for specific roles.

What are the implications of the New York Clean Slate Act for healthcare hiring?

Many eligible convictions are automatically sealed after set waiting periods, and you may not ask about or rely on sealed records. Consumer reports should not include sealed convictions. However, when a statute requires fingerprint-based screening, authorized agencies may still access sealed information for suitability reviews. Update forms with Clean Slate Act Notifications, train staff, and ensure decisions rely only on legally reportable information.