Will a HIPAA Violation Show Up on a Background Check?
Whether or not a HIPAA violation will show up on a background check depends on the nature of the violation, the consequences of the violation, and the motive for the violation. While it is currently rare for a HIPAA violation to show up on a background check, this may change due to a proposed update to the Privacy Rule.
There are many different types of HIPAA violations. Some have minimal impact and no long-lasting consequences – i.e., an accidental disclosure of PHI that is overheard, but nothing comes of it – whereas others can have a major impact on an organization and serious consequences for individuals affected by the violation – i.e., the deliberate misuse of login credential that exposes a PHI database.
Most employee HIPAA violations are addressed according to a Covered Entity’s sanctions policy. Employees responsible for minor violations will likely be sanctioned with verbal or written warnings and additional HIPAA training. Those responsible for repeated or serious violations could be sanctioned with a suspension or termination of employment, or loss of license to practice.
A suspension, termination, or loss of license would be recorded in an employment record, but would not show up on a background check unless the motive for the HIPAA violation was the knowing and wrongful disclosure of individually identifiable health information without authorization – which is not only a violation of HIPAA, but also a violation of §1177 of the Social Security Act.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
When a HIPAA Violation Will Show Up on a Background Check
When a HIPAA violation is also a violation of the Social Security Act, an employer is required to report the violation to a law enforcement agency as well as HHS’ Office for Civil Rights. The case will be referred to the Department of Justice, who will pursue a criminal conviction for the violation. If successful, the penalties for criminally violating HIPAA are:
- For wrongfully and knowingly violating §1177 of the Social Security Act – a fine of up to $50,000 and/or a prison sentence of up to one year.
- If the offence is committed under false pretenses (i.e., with someone else’s login credentials) – a fine of up to $100,000 and/or a prison sentence of up to five years.
- If the offence is committed for personal gain, malicious harm, or a commercial advantage – a fine of up to $250,000 and/or a prison sentence of up to ten years.
Regardless of the sentence imposed, the HIPAA violation, the consequences of the HIPAA violation, and the penalty for the HIPAA violation will become public record and will show up on a background check. This will undoubtedly prevent a person obtaining employment in a healthcare role, and likely prevent employment in any other position in which the person will have access to sensitive data.
The Proposed Update to the Privacy Rule
In April 2023, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking in the Federal Register. The Notice is in response to the Supreme Court’s decision in Dobbs v. Jackson Women`s Health Organization, which led to many states introducing anti-abortion legislation and women having to cross state lines to have terminations in states where abortions are still legal.
State with anti-abortion legislation cannot prevent women crossing state lines to have a termination, but some have introduced further legislation criminalizing the act of assisting with or facilitating a termination procedure. Because this could lead to the disclosure of PHI to pursue a criminal conviction relating to a medical procedure that was legal in the state it was administered, HHS` Office for Civil Rights is proposing an update to the Privacy Rule.
The update would add a new category of uses and disclosures (“attestation”) to those that already exist (“required”, “permitted”, “opportunity to agree”, and “authorized”). Thereafter, certain types of PHI considered more sensitive than other types could only be used or disclosed if the recipient attests the PHI will not be further used or disclosed for a prohibited purpose (in this case to pursue a criminal conviction relating to a legal procedure).
If finalized, the new category would not only apply to PHI relating to terminations, but to all reproductive healthcare – including contraception, fertility treatment, and miscarriages. The category could also be used to align the Privacy Rule more closely with 42 CFR Part 2 (the confidentiality of substance use disorder medical records), and protect other types of sensitive data from misuse or disclosures that contradict Health and Human Services’ messaging.
How the Update Could Increase §1177 Violations
The reason the update could increase §1177 violations is that, if a person to whom sensitive PHI is disclosed under an attestation subsequently uses or discloses the PHI for a prohibited purpose, they will be considered to have knowingly and wrongfully disclosed individually identifiable health information without authorization.
Importantly, not only will the person who gave a false attestation be guilty of a §1177 violation, but the Covered Entity (or employee of a Covered Entity) who disclosed the information may also be guilty of a §1177 violation if they knew – or should have known – that sensitive PHI was going to be used or disclosed for a prohibited purpose.
If an employee of a Covered Entity is found guilty of a §1177 violation, this will also be a HIPAA violation that will show up on a background check. Therefore – if the proposed update to the Privacy Rule is finalized – not only should Covered Entities make sure policies and procedures reflect the new category of uses and disclosures, but also that all members of the workforce are trained on the updated policies and procedures to prevent avoidable violations of HIPAA.
