OCR Stresses the Importance of a HIPAA Sanction Policy
The Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) require covered entities and their business associates to ensure that members of the workforce comply with all appropriate provisions of the HIPAA Rules. HIPAA training is required to ensure that all members of the workforce are aware of their responsibilities under HIPAA, and HIPAA-regulated entities must have a formal sanction policy that states the consequences of employees violating the HIPAA Rules.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has recently drawn attention to the importance of the sanction policy requirements of HIPAA in a recent cybersecurity newsletter, which explains that a formal sanction policy can help HIPAA-regulated entities develop a culture of HIPAA compliance and prevent employee HIPAA violations. The purpose of a sanctions policy is to explain the regulated entity’s expectations to employees and state the consequences of any HIPAA violations. In the newsletter, OCR offers several recommendations that should be considered when developing, implementing, and updating a sanction policy.
There should be a formal process for documenting and implementing the sanctions policy and the policy should be communicated clearly to all members of the workforce. Members of the workforce should be informed of the policy during the onboarding process and be required to affirmatively acknowledge that they understand that violations of the organization’s HIPAA policies and procedures may result in sanctions. The sanction policy should state the process involved, including the personnel, procedural steps, time frame, reason for sanctions, and the final outcome. There are record retention requirements in HIPAA that apply to sanctions. Both the policy and any records of applied sanctions should be retained for a period of 6 years.
HIPAA does not go as far as stipulating what sanctions should be applied, but they should be appropriate to the seriousness of the violation, should take into account any mitigating factors, and reflect whether a HIPAA violation was intentional or unintentional. For instance, unintentional HIPAA violations may warrant a verbal or written warning, whereas intentional HIPAA violations may result in termination. To aid understanding, HIPAA-regulated entities should consider providing examples of common violations and the likely sanctions that would apply.
A sanctions policy is required for HIPAA compliance, but OCR explains that the implementation and administration of the sanctions policy are just as important as the content of the policy itself. The policy should be applied fairly and consistently to all members of the workforce, including management. If the policy is applied fairly and consistently it will deter noncompliance and help the organization develop a culture of compliance. Conversely, unfair, inconsistent, and ineffective enforcement could well undermine the organization’s compliance efforts.
Sanctions policies can help to reduce HIPAA violations, but they may be ignored by some workers. It is therefore important to have policies, procedures, and technical controls in place to ensure that HIPAA violations are detected quickly to allow action to be taken and to limit the negative consequences. There have been many instances where HIPAA violations by employees have gone undetected for many months or years, such as employees accessing patient records out of curiosity or copying patient data to pass on to identity thieves for financial gain.
Regularly reviewing logs of access to protected health information to identify unauthorized access and applying the sanctions policy will help to nip the problem in the bud. The failure to identify violations quickly and take action could result in an even bigger problem – widespread noncompliance by employees and civil monetary penalties imposed by regulators.