Does HIPAA Require Background Checks?

The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – was created to better protect private health information. It created national standards for the proper protection and handling of health information. The overall goals of this Act were to make healthcare more efficient and make the health insurance market more accessible.

Before the enactment of HIPAA, many Americans with pre-existing health conditions found it challenging to get health insurance coverage. HIPAA was also meant to address other issues, including unreasonably high health insurance premiums for small businesses and the inability to transfer benefits between jobs.

HIPAA does not explicitly require background checks. Rather, HIPAA puts the responsibility on the organization to create and implement policies for authorizing and protecting access to health information. Many organizations choose to include background checks in these policies. 

Preemptive background checks can catch certain red flags indicating an individual could pose a risk to protected information, patients, or staff. Other laws or statutes may also require background checks for individuals who work in healthcare settings and have access to controlled substances and vulnerable people. 

There are several types of HIPAA violations. The type, severity, and motive behind the violation can all factor into whether or not it shows up on a background check. 

In most situations, HIPAA violations are accidental and don’t have any lasting impacts. For example, two medical providers discuss a patient’s care and are overheard by another provider. Many violations like this are handled under the organization’s sanction policy and could result in a suspension, fine, or even termination. These violations would not appear on a background check, but suspensions or terminations would be seen on an employee’s record.

More serious violations, such as deliberately sharing protected information or “leaking” information, can impact the entire organization. Employers are obligated to inform law enforcement agencies in these more severe cases when a HIPAA violation also violates the Social Security Act. The Department of Justice (DOJ) typically prosecutes these cases. These violations would show up on a background check. 

Following the June 2022 Supreme Court decision in Jackson V Dobbs, the Department of Health and Human Services’s Office for Civil Rights proposed an update to the Privacy Rule that created HIPAA.

As a result of the Jackson V Dobbs decision, several states enacted anti-abortion legislation forcing women to cross state lines to access reproductive healthcare. Many of these states have also created laws designed to prosecute anyone who participated in or helped a woman receive abortion care. 

Prosecution of these laws can cause protected health information (PHI) to be disclosed to obtain a criminal conviction, even if the medical procedure was carried out in a different state where it was legal. In response, the Office of Civil Rights proposed an update to the privacy rule to prevent certain types of PHI from being used this way.

The proposed update would create new categories of disclosures and uses of PHI. All services relating to the reproductive system, including but not limited to terminations, birth control, pregnancy tests, and fertility treatments, would be classified as “reproductive health care.” Under the proposed update, PHI in this category could only be disclosed if the recipient attests it will not be used in a prohibited way – such as in a criminal or civil suit. The DOJ prosecutes violations of this rule and carries substantial fines and jail times.