HIPAA Violations That Are Visible on Background Checks

The visibility of A HIPAA violation on a background check is dependent on the type of violation, the effects of the violation, and the reason for the violation. Although it is presently unusual for a HIPAA violation to appear on a background check, this could change because of a proposed revision to the Privacy Rule.

There are several types of HIPAA violations. Certain violations have little effect and no long-term effects – for example, an unintentional disclosure of PHI that is overheard, although nothing happens because of it – while others could have a big effect on a company and critical results for people impacted by the violation – for example, the intentional misuse of account credential that compromises a database with PHI.

The majority of employee HIPAA violations are dealt with based on a Covered Entity’s sanctions policy. Workers liable for minor violations shall be sanctioned with written or verbal warnings and extra HIPAA training. People liable for recurrent or critical violations may be sanctioned with a termination or suspension of work or loss of license.

A termination, suspension, or loss of license will be documented in an employment report, but it will not be visible on a background check except if the grounds for the HIPAA violation were the deliberate and wrongful disclosure of individually identifiable health data with no consent. That constitutes a violation of the HIPAA and §1177 of the Social Security Act.

HIPAA Violations That Show Up on a Background Check

If a HIPAA violation also violates the Social Security Act, a company needs to submit a violation report to law enforcement and also HHS’ Office for Civil Rights. The case will be forwarded to the Department of Justice, who will follow it up with a criminal conviction for the HIPAA violation. The penalties for a criminal violation of HIPAA include:

  • For wrongfully and deliberately violating §1177 of the Social Security Act, the penalty is as much as $50,000 and/or a prison sentence of about one year.
  • For an offense that is carried out under false pretenses (for example, with somebody else’s account credentials), the penalty is as much as $100,000 and/or a prison sentence of about five years.
  • For an offense that is undertaken for malicious harm, personal gain, or commercial advantage, the penalty is up to $250,000 and/or imprisonment of up to ten years.

Whatever the sentence enforced, the HIPAA violation, the effects of the HIPAA violation, and the fine, the HIPAA violation will become part of the public record and will be visible on a background check. This will unquestionably stop an individual from getting a job in a healthcare position and probably hinder work in any other position wherein the individual will get access to sensitive information.

The Proposed Changes to the Privacy Rule

Last April 2023, HHS’ Office for Civil Rights released a Notice of Proposed Rulemaking in the Federal Register as a response to the Supreme Court’s ruling in Dobbs v. Jackson Women`s Health Organization. Several states created anti-abortion laws and women needed to go to other states where abortions remain legal.

States that have anti-abortion laws cannot stop women from going to other states to have a termination. However, some states have introduced more laws criminalizing the act of helping or aiding a termination procedure. Since this can result in PHI disclosure to go after a criminal conviction associated with a medical procedure that was lawful in the state it was done, HHS` Office for Civil Rights is suggesting a change to the Privacy Rule.

The revision would include another category of uses and disclosures (“attestation”) in addition to those that already exist (“required”, “opportunity to agree”, “permitted”, and “authorized”). Afterward, particular types of PHI regarded as more sensitive compared to other types can only be utilized or shared if the recipient concurs, the PHI won’t be further utilized or disclosed for a forbidden purpose (in this instance to go after a criminal conviction associated with a legal procedure).

If approved, the new category will not just be applicable to PHI associated with terminations. It will apply to all reproductive healthcare, which includes contraception, miscarriages, and fertility treatment. The category can likewise be employed to line up the Privacy Rule more tightly with the confidentiality of substance use disorder medical records (42 CFR Part 2), and secure other types of sensitive information from misuse or exposures that counter Health and Human Services’ messaging.

How the Revision Could Result in More §1177 Violations

The update could result in more §1177 violations because when an individual to whom sensitive PHI is shared under an attestation later uses or exposes the PHI for a forbidden purpose, they will be regarded to have deliberately and improperly disclosed individually identifiable health data with no consent.

Notably, the individual who provided a false attestation will not just be blamed for a §1177 violation, the Covered Entity (or staff of a Covered Entity) who exposed the data will also be charged with a §1177 violation in case they knew, or must have been aware that sensitive PHI will be utilized or exposed for a forbidden purpose.

When a staff of a Covered Entity is determined guilty of a §1177 violation, this HIPAA violation will be visible on a background check. Consequently, if the proposed changes to the Privacy Rule are approved, Covered Entities must ensure policies and procedures represent the new category of uses and disclosures, and all employees should be trained regarding the revised policies and procedures to avert preventable violations of HIPAA.