HHS’s Office for Civil Rights (OCR) has issued a bulletin underlining the importance of maintaining and implementing an effective sanctions policy when it comes to the privacy and security of protected health information (PHI) under HIPAA Rules. Both the Privacy Rule and the Security Rule require sanctions policies for all covered entities and their business associates.
Sanctions policies address disciplinary actions taken by a covered entity when one or more workforce members violates the privacy and security policies or procedures of the organization. By imposing consequences on workforce members who violate an organization’s policies, sanctions communicate that each individual is responsible for complying with HIPAA Privacy and Security Rules and will be held accountable for failing to do so. Sanctions may be communicated to workforce members through training and onboarding. Employees may be asked to sign a Confidentiality Statement and an Acceptable Use policy to indicate their understanding.
HIPAA Rules allow covered entities to implement sanctions policies in a manner consistent with the size, structure, and nature of the organization. This leaves the specifics of a sanctions policy up to the discretion of the covered entity. While HIPAA Rules are flexible to allow for variations across different organizations, OCR recommends the following steps for creating an effective sanctions policy:
- Create a formal process for documenting sanctions and sanctions policies.
- Require workforce members to acknowledge in writing that violations will result in sanctions.
- Document the sanctions process, including the personnel involved, the procedural steps, the time-period, the reason for the sanctions, and the final outcome of an investigation.
- Create sanctions that are appropriate to the nature of the violation.
- Create sanctions that vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of PHI.
- Create a range of sanctions that vary in severity from verbal warning to termination.
- Provide examples of potential violations and appropriate sanctions.
Meaningful and well-documented sanctions policies can promote HIPAA compliance throughout an organization by setting expectations and deterring misconduct. The OCR also emphasized the importance of executing a sanctions policy consistently. This means considering how sanctions can be applied fairly throughout the organization, including management and providers. Applying sanctions inconsistently or unfairly can undermine the integrity of the organization’s compliance program and be cause for citations and fines. OCR cites two investigations in which PHI was impermissibly disclosed and the covered entities either did not apply sanctions or did not document the sanctions imposed against the workforce members involved in the violation.
In a time in which malicious outside actors are targeting PHI, it is imperative that organizations responsible for PHI act with integrity and transparency when it comes to inside threats to privacy and security. Clearly communicating policies and penalizing noncompliance through sanctions will help to promote compliance in your organization.
