Real Talk: Do Administrative Staff Handling PHI Need Background Checks?

Real Talk: Do Administrative Staff Handling PHI Need Background Checks?

The Question:

“Are administrative staff working with PHI in a primary care office required to complete a background check? If so, are there specific places those background checks need to be performed?”

Federal Requirements

At the federal level, HIPAA does not explicitly require background checks. HIPAA’s Privacy and Security Rules (45 CFR Parts 160 & 164) require covered entities to implement “reasonable and appropriate” safeguards to ensure the confidentiality, integrity, and security of PHI (e.g., implementing appropriate workforce policies and procedures). .

However, if a practice participates in federal healthcare programs (e.g., Medicaid), it must screen all staff against the HHS-OIG List of Excluded Individuals and Entities (LEIE) prior to hire and—best practice—monthly thereafter, to ensure no one is excluded from federal program participation.

State Requirements: Vary by Jurisdiction

States often add their own background screening requirements for licensed providers (e.g., criminal history checks, abuse registry checks, fingerprinting, etc.), which can depend on license type, payer participation, and whether the practice serves vulnerable populations. Always confirm with your state licensing board or health department.

Example State: Oregon

For OHA-licensed providers that accept the Oregon Health Plan and serve vulnerable populations, background checks are mandatory for both clinical and administrative staff with PHI access—even if they have no direct patient contact.

Oregon – Federal Layer (Due to Medicaid Participation)

• Screen all staff (including administrative personnel handling PHI) against the HHS-OIG LEIE before hire and, as a best practice, monthly thereafter.
• Purpose: confirm no staff member is excluded from federal programs due to fraud, abuse, or other disqualifying misconduct.

Oregon – State Layer (OAR & Statutes)

• Under OAR 943-007-0000 et seq., administrative staff handling PHI qualify as “subject individuals.” They must complete a criminal background check through the OHA Background Check Unit (BCU), which may include:
  • Oregon State Police criminal history records
  • Abuse registry screenings (Adult Protective Services, Child Abuse Registries, CPS)
  • A fitness determination based on findings
• If the practice serves vulnerable populations, ORS 181A.200 requires FBI fingerprint-based checks. Even without direct patient contact, PHI access may trigger this requirement.
• Providers can use ORCHARDS, the Oregon Criminal History and Abuse Records Data System developed by CMS and the National Background Check Program, to submit background checks and receive any required fitness determination results.

What This Means

• Nationally: HIPAA doesn’t explicitly mandate background checks; however, LEIE screening applies if you participate in federal healthcare programs.
• In Oregon: OHA-licensed, Medicaid-participating practices serving vulnerable populations must complete LEIE screening, OHA BCU checks, and FBI fingerprinting for administrative staff with PHI access.

Our Recommendation

1. Perform OIG LEIE checks for all staff if you receive federal funds (before hire and monthly as a best practice).
2. Confirm your state’s rules. Oregon’s framework is a good example of requirements that go beyond HIPAA.
3. Document your process (and maintain records of screenings and determinations).
4. Consult legal counsel or your state authority when in doubt (e.g., OHA Background Check Unit in Oregon).

Next Step:

If you want tools to strengthen your HIPAA compliance program, explore Gamma’s HIPAA resources: View HIPAA Solutions.