HIPAA Security Reminder – Sanction Policy

HIPAA Security Reminder – Sanction Policy

Both the HIPAA Security Final Rule and the HIPAA Privacy Final Rule require Covered Associates and Business Associates to have and apply sanctions against members of the workforce who violate the respective regulations.  OCR auditors look for these policies and procedures and will continue to do so as enforcement amps up.  What’s required and where do you stand?  Have you reminded your workforce of your policy and sanctions?  Learn more…

The Privacy Final Rule requirement:

45 CFR § 164.530 (e)(1) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. …

(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.

The Security Final Rule requirement:

45 CFR § 164.308(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
We have seen many and helped organizations create HIPAA Sanctions Policies to cover both Privacy and Security requirements.  They can often be combined into one.  Here’s a reminder / sample of what might be included in heart of the policy.

Sample HIPAA Sanction Policy Content:

DEFINITION OF OFFENSE:
Class I offenses:
(1) Accessing information that you do not need to know to do your job;
(2) Sharing your computer access codes (user name & password);
(3) Leaving your computer unattended while you are logged into a PHI program;
(4) Sharing PHI with another employee without authorization;
(5) Copying PHI without authorization;
(6) Changing PHI without authorization;
(7) Discussing confidential information in a public area or in an area where the public could overhear the conversation;
(8) Discussing confidential information with an unauthorized person; or
(9) Failure to cooperate with privacy officer.

Class II offenses:
(1) Second offense of any class I offense (does not have to be the same offense);
(2) Unauthorized use or disclosure of PHI;
(3) Using another person’s computer access codes (user name & password); or
(4) Failure to comply with a resolution team resolution or recommendation.

Class III offenses:
(1) Third offense of any class I offense (does not have to be the same offense);
(2) Second offense of any class II offense (does not have to be the same offense);
(3) Obtaining PHI under false pretenses; or
(4) Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm.

HIPAA SANCTIONS:
Class I offenses shall include, but are not limited to:
(a) Verbal reprimand;
(b) Written reprimand in employee’s personnel file;
(c) Retraining on HIPAA Awareness;
(d) Retraining on Company’s Privacy and Security Policy and how it impacts the said employee and said employee’s department; or
(e) Retraining on the proper use of internal forms and HIPAA required forms.

Class II offenses shall include, but are not limited to:
(a) Written reprimand in employee’s personnel file;
(b) Retraining on HIPAA Awareness;
(c) Retraining on County’s Privacy Policy and how it impacts the said employee and said employee’s department;
(d) Retraining on the proper use of internal forms and HIPAA required forms; or
(e) Suspension of employee (In reference to suspension period: minimum of one (1) day/ maximum of three (3) days).

Class III offenses shall include, but are not limited to:
(a) Termination of employment;
(b) Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or
(c) Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.

It is a “best practice” to have members of your workforce review your Sanction Policy at least annual and sign an acknowledgement of same.

What policies and procedures do you have in place to ensure you are compliant with these required standards and implementation specifications?

Contact us for more information or to consider one of our educational events to learn more about HIPAA sanctions and other regulatory compliance issues.

More HIPAA HITECH Resources:

Clearwater

Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Avatar
Posted in
Avatar
Clearwater
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

ocr-quality-stamp-tm-home

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro® platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons