You make ask yourself, “How can I protect my practice and my patients from the increasing threat of security breaches within my office?”
For DCs, office staff members are the most common source of data breaches, which include cases of identity theft.
With this in mind, it’s clear that proper background checks are the first line of defense. Many DCs ask, “Am I required to do background checks?” The question shows confusion about what’s required and prudent.
The question they should be asking is “What level of background check do I need to do?” The degree of back- ground checking should be based on the level of risk associated with the position your prospective employee will be assigned.
The guidelines set forth by the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST) are based on a risk-to-cost concept.1-2 HHS has defined this risk and assigned a general risk category to the various contractors and vendors who have access to protected health information (PHI). DCs and their staff are assigned to a low-risk category.3
Defining the risk
But what does a background check actually entail? Basically, there are four levels of background checks mentioned by NIST.2
Level 1: The first level of background check is simply checking the references of the prospective employee. Although this is an accepted general business practice, it is surprising how many doctors do not even complete this basic act of due diligence.
This first level may also require you to check the educational background of prospective employees who must have specific training to meet the job description. Often it’s unwisely assumed that a prospective employee’s training has been verified if they hold a professional state-issued license with a required level of education. In other situations, you may need to contact the educational institution to confirm their program completion.
Level 2: The second level of back- ground check is to see if the prospective employee has ever been excluded from Medicare or Medicaid participation.
The digital age we live in has made this extremely easy, as the Office of Inspector General (OIG) now provides employers a simple and free method of checking online. An employer can search for the prospective employee’s name in the Exclusions Database (exclusions.oig.hhs.gov). This simple step should be performed on all current employees as well as on prospective ones.
Once you have the search results, the findings should be printed off and placed into each employee’s personnel file or added to the file of the prospective employee. This is both easy and free to perform, so it should be a standard part of your process for conducting background checks.
Level 3: The third level of background check is a consumer credit check. Here again, the risk-to-cost concept comes into play. This level may not be necessary for a back office clerk or a chiropractic treatment assistant who never handles money in your office.
For your office manager or your front desk CA, this may be required because there is a higher risk associated with their access to business funds.
The decision to do a Level 3 back- ground check may be influenced by the history of the prospective employee. If he or she is a recent high school graduate, it may not be necessary.
However for a prospective hire who has had multiple jobs recently, the risk is higher and performing a credit check may be warranted.
Level 4: The fourth and highest level of due diligence is a criminal background check. The risk-to-cost aspect again dictates the need for this level of scrutiny. The decision to perform a criminal background check is based on the history of the prospective employee in relation to the level of risk or responsibility of the position.
A treatment CA who has a low-risk profile likely will not require this level, while an office manager, business manager, or your billing staff may. The work history of the prospective employee will help you decide if this is required. If the applicant has moved numerous times and worked in several states, this may raise the risk to a level that justifies a full background check.
In the past, performing a criminal background check was expensive. Today the cost of a limited criminal background check (one state only) can be as low as $25. Consequently, given the lower cost for this level of background check, the risk-to-cost picture becomes less clear.
In the case of an audit due to a significant breach, it may be difficult to argue that a criminal background check was too expensive for a small office to have performed. Especially if the results of a criminal background check would have prevented the breach by exposing the criminal history of the applicant who was eventually hired.
A full blown or multi-state background check is also much less expensive today compared to the past. Numerous attorneys have written articles arguing that, due to the low cost, a criminal background check should be performed on all new employees.
If you are unsure of when to do one, discuss it with your business attorney. Due to the extreme consequences such as a $150,000 fine, it is better to play it safe now rather than be sorry later.
Don M. Cross, DC, CPCO, is a Certified Professional Compliance Officer and leader in the chiropractic profession. A professor at Palmer Chiropractic College-Florida focusing on the business of practice, he’s served as president of the Florida Chiropractic Association (FCA) and vice president of the Council of Chiropractic State Associations (COCSA). He also created the OCCM Chiropractic Compliance Manual. He can be contacted through chiropracticcompliance.com.
1 Department of Health and Human Services. HIPAA Security Series Volume 2: Paper 1 through 6. 45 CFR Part 160 and Part 164, Subparts A and E.
2 National Institute of Standards and Technology (NIST). 800 Series of Special Publications: SP800-30—Risk Management Guide for Information Technology Systems.
3 Federal Register, September 23, 2010. 42 CFR Parts 405, 424, 438, et seq. Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening, Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers; Proposed Rule.