Question: I’m hiring a financial coordinator for the first time. Since this role will be dealing with money day in and day out, I would like to run a background check that checks for any financial red flags, like debt or bankruptcy. Is this legal?
The legal side: You can, and should, run background checks for every person you hire. The information from that background check that you use to make your hiring decisions is where things get trickier.
Over the past decade, laws restricting what information employers can use from background checks have become increasingly common. In most cases, these laws focus on restricting employers’ ability to consider certain aspects of applicants’ criminal history. But now, some have expanded to include financial information such as credit reports, debt, and bankruptcy.
Depending on where you’re located, you may not be able to use certain financial information from a background check, even for a role that handles money. A few states and cities have passed laws that limit or outright prohibit the use of credit history in employment decisions. For example, New York recently enacted one of the strictest laws in the country, largely banning employers from accessing consumer credit history unless the position meets very narrow, defined exceptions.
Even in states that allow it, you typically need to show that the credit check is directly related to the job and follow strict notice and authorization requirements.
All of this to say, while a financial role gives you a stronger argument for running a credit check, you still need to confirm that state and city laws allow it and that you meet all notice and justification requirements before moving forward.
The human side: Your instinct is completely understandable. When someone is handling money, you want to minimize risk. But you should also consider that financial challenges can happen for many reasons, such as medical issues, family emergencies, or economic downturns.
Those situations do not necessarily reflect someone’s honesty or reliability at work. If you rely too heavily on credit data, you may pass on strong candidates who would otherwise be a great fit. Remember that a “score” does not tell the full story and that credit reporting agencies report out billions of incorrect or outdated data points when answering credit checks.
A more practical approach is to treat credit checks as just one piece of the evaluation. Focus on relevant experience, references, and how the candidate has handled responsibility in past roles. Those factors often give you a clearer picture of trustworthiness.
Background checks are essential, and not something employers should ever try to DIY. Using a trusted background check company that understands relevant state laws is one of the best ways to ensure you’re in compliance. Even when you rely on a third party, always make sure that you understand the rules that apply to you.
CEDR’s trusted background check partner is National Crime Search. The best part? NCS is integrated directly into our software backstageHR, making it easy for CEDR members to access.
Question:I’d like all of my staff to be CPR certified. If I schedule training during the workday, do I have to cover the cost of the training itself?
The legal side: We get this question a lot, especially in healthcare settings where CPR certification is often required. The answer depends on who the requirement is tied to.
If CPR certification is required for the practice by state law or regulation, employees must complete the training as a condition of their employment. In that case, you are responsible for covering both the cost of the training and paying employees for their time spent attending.
If the requirement is tied to the individual’s license, it’s typically treated like any other continuing education requirement. That means the employee is responsible for obtaining and maintaining the certification on their own, including the associated costs and time.
However, if you choose the course, schedule it, host it in your office, or direct employees to attend a specific training, it becomes employer-directed. At that point, the Department of Labor considers it work time, and you are responsible for both the cost of the course and for paying employees for their time, regardless of their license requirements.
The human side: From a practical standpoint, many employers choose to cover CPR training, even when it might not be strictly required. It’s a nice benefit for employees that removes the burden of coordinating it on their own. It also gives you full control over timing and quality, keeping everyone on the same page.
The bottom line: the more involved you are in organizing the training, the more it becomes your obligation to pay for it.
Question: I’ve recently realized there is a lot more texting between employees and patients than I thought. I understand that it’s convenient, but I feel like I need to put some rules in place for texting from their personal phones, or even prohibit it altogether. What is the best policy to put in place?
The legal side: Texting patients from a personal device should be pretty much prohibited at all times. The reasons are many, but the primary one is that you, as the owner, are responsible for all violations of PHI, and you have absolutely zero control over personal devices, other than to prohibit their use for work-associated communications with patients.
When employees use personal phones, patient information ends up stored on personal devices. That can include names, phone numbers, appointment details, treatment discussions, billing questions, screenshots, or even message previews. Once that information is on a personal device, the practice loses control. If the employee leaves, loses their phone, or syncs it to a personal cloud account, that information may no longer be secure or retrievable.
This significantly increases the chances of a HIPAA violation. If protected health information is exposed, penalties can apply per violation, not just per incident. Regulators look for whether the practice had reasonable safeguards in place and whether it corrected known risks. Allowing ongoing patient communication through personal devices without controls can be seen as a failure to safeguard information.
There is also a documentation issue. If a patient says, “I texted the office,” but that conversation lives on an employee’s personal phone, the practice may not have access to the full record. That becomes a problem in disputes, audits, or patient complaints.
The safest approach is to require that all patient communication go through practice-approved systems. These systems should be secure, documented, and, if a third party is involved, supported by a Business Associate Agreement. CEDR members can reach out to the Solution Center for a sample agreement.
You should have a clear policy that states that employees may not use personal phones, personal email, messaging apps, or social media to communicate with patients about appointments, treatment, billing, or any patient-specific matter. If a patient reaches out to an employee directly, the employee should redirect them to the official communication channel.
The human side: From an employee’s perspective, texting the patient directly often feels like customer service. It’s quick, easy, and feels personal. But your instinct is right. This is one of those situations where things may start informally but grow into something bigger before anyone realizes it.
We recommend that you implement a no-texting policy for patients on personal devices and ensure you find a great integrated system to replace it, which also protects PHI.
When someone says, “So I can’t reply to my mom or best friend when they say they are running late?” The answer is, of course, you can, but that is the limit. Please steer further conversations to a phone call or to your new texting platform.
Did you know CEDR provides HIPAA training? Learn more here.
Friendly Disclaimer: This information is general in nature and is not intended to provide legal advice or replace individual guidance about a specific issue with an attorney or HR expert. The information on this page is general human resources guidance based on applicable local, state, and/or federal U.S. employment law that is believed to be current as of the date of publication. Note that CEDR is not a law firm, and as the law is always changing, you should consult with a qualified attorney or HR expert who is familiar with all of the facts of your situation before making a decision about any human resources or employment law matter.
A Blog Written by CEDR, written by HR Experts to help you run your practice.
Did overtime become tax-free? No. The law created a federal income tax deduction for the premium portion of qualifying overtime...
Employers have always needed to be vigilant about complying with immigration laws, most especially with federal I-9 forms and E-Verify...
You can generally require that an employee use their paid vacation time toward any time off they take.
