FAQ: Personnel Suitability Assessment
General
For an entity required to have a suitability program, during their inspection, FSAP inspectors will review the entity’s security plan, any records that the entity maintains as a part of its suitability assessment program (pre-access and ongoing), and interview entity staff. At a minimum, the inspectors will look to see that there is a formal description of the program and that all involved workers have been enrolled and adequately trained.
No, there are no specific forms required for the documentation of an entity’s suitability assessment program, although this program must be included as part of the security plan for entities that possess, use, or transfer Tier 1 select agents or toxins. An entity required to have a suitability program has the discretion to document its suitability assessment program (pre-access and ongoing) in a way that best meets its needs.
An entity required to have a suitability program may certainly use a background investigation for a national security clearance to complement its suitability assessment program. However, while such a background investigation may address the integrity and trustworthiness of an individual, it may not address other entity requirements needed to determine suitability.
It depends on the circumstance. Drug screening is not a specific requirement of the regulations. However, this does not preclude an entity from establishing a drug screening program if it determines that this measure would be an appropriate component of its personal reliability assessment program. Such a program would need to be administered in compliance with applicable local, state, and federal regulations.
It depends on the circumstance. An investigation of a person’s finances or obtaining a credit report is not a specific requirement of the regulations. However, this does not preclude an entity from establishing a personal financial review program if it determines that this measure would be an appropriate component of its personal reliability assessment program. Such a program would need to be administered in compliance with applicable local, state, and federal regulations.
Responsible Officials should look to their local or institutional legal and human resource managers to assist with setting up systems and procedures to adjudicate cases in which individuals with criminal misdemeanor records have been identified.
It depends on the circumstance. Although the select agent regulations do not specifically require the ongoing monitoring of medications or medical issues for individuals who have access to Tier 1 select agents or toxins, Section 12(d) of the regulations requires that entities administer an occupational health program for these individuals. If an entity determines that the ongoing monitoring of medications or medical issues of individuals is an appropriate component of an effective occupational health program, these measures should be implemented in compliance with all applicable local, state, and federal regulations.
The Reviewer (REV) should be an entity official whose duties include monitoring the suitability assessment program and reviewing warranted suitability actions. This person may be a security or administrative professional, legal counsel, or other person who can provide an alternate and complementary perspective on the suitability assessment program and Tier 1 select agents and toxins access decisions to the Responsible Official (RO). If resources do not permit the appointment of a separate REV, the RO may act as the REV. The REV should be able to protect and evaluate the personal information required to administer a suitability assessment program. The REV should be competent to assess personnel with respect to both pre-access and on-going suitability assessments.
If the REV is the RO, Alternate RO, or a person who owns or controls an entity or will have access to select agents and toxins, this individual must be put on the entity registration and undergo a security risk assessment.
The Certifying Official (CO) should be an entity official who certifies that personnel meet the established requirements of an entity-specific suitability assessment and monitoring program. The CO should have sufficient familiarity with all individuals having access to Tier 1 select agents and toxins, and their supervisory chain, to permit a continual evaluation of their suitability, and have the authority to engage supervisors when warranted. The CO should possess human resources expertise and experience in order to collect, evaluate, and protect personal information required in the suitability assessment program. Optimally, the CO is a person outside the individual’s supervisory chain, such as a human resource professional, occupational health physician, Employment Assistance Program (EAP) counselor, Principal Investigator (PI) not associated with the work to be performed, or other interested and qualified person. The CO notifies the RO on matters pertinent to personnel suitability directly.
If the CO will have access to select agents and toxins, the individual must be put on the entity registration and undergo a security risk assessment.
We note that the gathering and possession of personal information must be done in accordance with applicable Federal, State, and local laws. For additional guidance, please refer to the Guidance for Suitability Assessments.
First, the HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The HIPAA privacy rule applies only to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. Second, a covered entity must disclose protected health information to individuals (or their personal representatives) specifically when they request access to their protected health information. A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosure to an employer of the results of a pre-employment physical or lab test. Information related to HIPAA can be found hereexternal icon.
Federal Select Agent Program has developed guidance for the development and implementation of pre-access suitability programs for persons who will have access to Tier 1 select agents or toxins. For additional guidance, please refer to the Guidance for Suitability Assessments. Entity pre-access suitability programs should be entity-specific and be in compliance with applicable state and local laws and regulations.
Yes, repeated failure to follow entity’s procedures may be used to determine an individual’s access to not only Tier 1 select agents and toxins but other select agents and toxins as determined by the Responsible Official. Entities should work with their Human Resources department to determine what actions are appropriate to address conduct and performance issues which impact safety and security in registered laboratories.
It is the responsibility of the entity to provide the resources for the entity to remain in compliance with the select agent regulations.
It depends upon whether or not the owner or controller would actually have access to Tier 1 select agents or toxins. Any individual, including an owner or controller (as defined in the Select Agent Regulations) who is approved to have access to Tier 1 select agents and toxins is required to be enrolled in the entity’s suitability assessment program.