Sanctions, also known as penalties or disciplinary actions, are a common requirement when implementing regulatory requirements.  HIPAA Rules specifically state that a Covered Entity (i.e., a medical or dental practice) must implement policies to prevent, detect, contain, and correct privacy and security violations and apply appropriate sanctions against members of their workforce who fail to comply with policies and procedures.

The HIPAA definition of workforce meansemployees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

A recent Eagle Associates News page article Preventing HIPPA Violations referenced a practice that was fined $125,000 for unauthorized disclosures of PHI.  Another reason for the civil monetary penalty was that the practice did not sanction the provider that made the disclosures.  This draws attention to the fact that no member of the practices’ workforce is exempt from sanctions when they are involved in a HIPAA-related violation

Sanction Policy and Types

Covered entities must maintain a written policy establishing a set of disciplinary actions that may be imposed when a workforce member violates its Privacy or Security policies. The policy should explain that sanctions will be applied equally to any workforce member that is at fault regardless of title or length of employment (including management and officers).  The policy should further outline that the actual sanction that is imposed for a given violation will be based on the risk to the patient’s PHI, repeat offenses, intent, and actual impact on PHI.  The authority for imposing sanctions lies with the practice’s Privacy Manager, Security Officer, and management personnel.  Having multiple persons involved ensures an appropriate review of circumstances and determination of the appropriate sanction to be imposed.

Workforce members must be provided notice of possible sanctions for violations.  This can be easily communicated in a confidentiality agreement that outlines the workforce member’s responsibilities, and consequences for failing to comply with practice policies. 

HIPAA Sanction Examples

The Security Officer, Privacy Manager and/or Compliance Committee should impose the sanction(s) that they determine to be appropriate, considering the severity of the incident, the intent of the workforce member, and the number of prior incidents in which the individual has been involved. Following are examples of possible sanctions that may be imposed:

• A verbal reprimand should be imposed for incidents that are deemed to be minor, and for first occurrence of an incident by an individual.

• A written reprimand should be imposed for incidents that are a repetition of an incident, or a different incident that involves the same individual.

• A staff member may be temporarily suspended from work to prevent him/her from accessing protected health information, for a length of time to be determined by the Security Officer or Privacy Manager. The length of the suspension will be dependent upon the type and the severity of the incident and/or the repetition of offenses by the individual.

• A staff member may be terminated from the practice for malicious or other serious failure to follow HIPAA policies and procedures implemented by the practice.

The written policy and sample sanctions should enable a practice to determine an appropriate sanction for the incident being addressed.  Again, sanctions need to be applied to all workforce members that violate HIPAA policies and procedures.  Perhaps the most difficult sanctions are those that need to be applied to providers and management personnel.  Due to the sensitivity and possible resistance to sanctions for providers and management personnel, it is recommended to have a discussion with compliance officers and management before violations occur.

Recommended Actions for Sanctions Compliance

1. Ensure that your practice has written sanction policies.  Practices with Eagle’s HIPAA policy manuals should review Sections 1.14 and 1.14a and either:
   1. Implement those policies or;
   2. Implement existing HR or other practice policies intended to address HIPAA violations.
2. Ensure that workforce members are aware of possible sanctions for HIPAA violations.  We recommend using a confidentiality agreement (Form 7.10 from the Eagle Associates HIPAA policy manual) for all workforce members to inform them of sanctions and possible actions.
3. Ensure that sanctions are imposed and documented in the workforce member’s personnel file.
4. Provide workforce member training for Privacy, Security, and Breach Notification Rule requirements.  Using Eagle Associates’ Compliance Training modules for HIPAA (occurring in April, May, and June issues of the Advisor) will document that the practice has met requirements for training and awareness.