We're doing a little cut-and-paste to help HHS get the word out and provide guidance supporting §164.308(a)(1)(ii)(C), the required "Sanction Policy". We did trim the endnotes from their original post, for readability sake, and will provide the entire newsletter in it's original format if you want a copy. Reach out if you need assistance creating a sanction policy for your team or want to see the original HHS newsletter.
Text from HHS/OCR follows.
Stay (HIPAA) safe,
I. The Functions of a Sanction Policy
Sanction policies can improve a regulated entity’s compliance with the HIPAA Rules. Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is “a negative consequence to noncompliance enhances the likelihood of compliance.” Training workforce members on a regulated entity’s sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which “actions are prohibited and punishable.” A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance.
II. Content: What Should a Sanction Policy Look Like?
Because HIPAA regulated entities “are so varied in terms of installed technology, size, resources, and relative risk,” the HIPAA Rules allow for a flexibility of approach to achieve compliance. This flexibility of approach also extends to sanction policies: the Privacy Rule preamble states that “we leave the details of sanction policies to the discretion of the covered entity . . . [that] will be familiar with the circumstances of the violation . . . .” Similarly, the Security Rule preamble states that regulated entities “have the flexibility to implement the standard in a manner consistent with numerous factors, including such things as, but not limited to, their size, degree of risk, and environment.”
The HIPAA Rules do not require regulated entities to impose any specific penalty for any individual violation or to implement any particular sanction methodology. Rather, in any individual case “[t]he type and severity of sanctions imposed, and for what causes, must be determined by each covered entity [or business associate] based upon its security policy and the relative severity of the violation.” Regulated entities may structure their sanction policies in the manner most suitable to their organization. Regulated entities may want to consider the following when drafting or revising their sanction policies:
1. Documenting or implementing sanction policies pursuant to a formal process.
2. Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
3. Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation. NOTE: These records should be retained for at least six years.
4. Creating sanctions that are “appropriate to the nature of the violation.”
5. Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information.”
6. Creating sanctions that “range from a warning to termination.”
7. Providing examples “of potential violations of policy and procedures.”
By making these considerations, regulated entities can craft a thoughtful and well-documented sanction policy that informs workforce members of the regulated entity’s expectations, deters misconduct, and promotes HIPAA compliance through greater understanding and transparency of the policies and procedures that protect the privacy and security of PHI.
III. Execution: Sanctioning Consistently
How a regulated entity implements its sanction policy is just as important as the policy’s content. It is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies, and how the individuals or departments involved in the sanction processes can work in concert, when appropriate. Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization, to all workforce members, including management. Indeed, sanctioning workforce members inconsistently can undermine the integrity of a regulated entity’s compliance program.
In 2017 and 2018, OCR resolved two investigations with regulated entities that potentially violated the HIPAA Rules sanctions requirements. In the first case, OCR found evidence that the regulated entity potentially “impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters,” and senior leaders disclosed the patient’s PHI to advocacy groups and in a published statement on their website. OCR also found evidence that the regulated entity potentially “failed to document timely the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule.” In the second case, OCR found evidence of a potential violation of the sanction requirements when a workforce member allegedly disclosed PHI to a reporter, and then the regulated entity allegedly failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity's privacy policies and procedures and the Privacy Rule.”
Sanction policies offer a great opportunity for regulated entities to establish and communicate compliance obligations and expectations to their workforce members. The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability, understanding, and transparency. At a time when the need for constant vigilance to protect ePHI is at an all-time high due to hacking and other threats to the privacy and security of health information, regulated entities should make sure that their policies and practices include sanction policies that hold all workforce members accountable for noncompliance with the HIPAA Rules.