Both the HIPAA Security Final Rule and the HIPAA Privacy Final Rule require Covered Associates and Business Associates to have and apply sanctions against members of the workforce who violate the respective regulations. OCR auditors look for these policies and procedures and will continue to do so as enforcement amps up. What’s required and where do you stand? Have you reminded your workforce of your policy and sanctions? Learn more…
The Privacy Final Rule requirement:
45 CFR § 164.530 (e)(1) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. …
(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.
The Security Final Rule requirement:
45 CFR § 164.308(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
We have seen many and helped organizations create HIPAA Sanctions Policies to cover both Privacy and Security requirements. They can often be combined into one. Here’s a reminder / sample of what might be included in heart of the policy.
Sample HIPAA Sanction Policy Content:
DEFINITION OF OFFENSE:
Class I offenses:
(1) Accessing information that you do not need to know to do your job;
(2) Sharing your computer access codes (user name & password);
(3) Leaving your computer unattended while you are logged into a PHI program;
(4) Sharing PHI with another employee without authorization;
(5) Copying PHI without authorization;
(6) Changing PHI without authorization;
(7) Discussing confidential information in a public area or in an area where the public could overhear the conversation;
(8) Discussing confidential information with an unauthorized person; or
(9) Failure to cooperate with privacy officer.
Class II offenses:
(1) Second offense of any class I offense (does not have to be the same offense);
(2) Unauthorized use or disclosure of PHI;
(3) Using another person’s computer access codes (user name & password); or
(4) Failure to comply with a resolution team resolution or recommendation.
Class III offenses:
(1) Third offense of any class I offense (does not have to be the same offense);
(2) Second offense of any class II offense (does not have to be the same offense);
(3) Obtaining PHI under false pretenses; or
(4) Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm.
Class I offenses shall include, but are not limited to:
(a) Verbal reprimand;
(b) Written reprimand in employee’s personnel file;
(c) Retraining on HIPAA Awareness;
(d) Retraining on Company’s Privacy and Security Policy and how it impacts the said employee and said employee’s department; or
(e) Retraining on the proper use of internal forms and HIPAA required forms.
Class II offenses shall include, but are not limited to:
(a) Written reprimand in employee’s personnel file;
(b) Retraining on HIPAA Awareness;
(d) Retraining on the proper use of internal forms and HIPAA required forms; or
(e) Suspension of employee (In reference to suspension period: minimum of one (1) day/ maximum of three (3) days).
Class III offenses shall include, but are not limited to:
(a) Termination of employment;
(b) Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or
(c) Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.
It is a “best practice” to have members of your workforce review your Sanction Policy at least annual and sign an acknowledgement of same.
What policies and procedures do you have in place to ensure you are compliant with these required standards and implementation specifications?
More HIPAA HITECH Resources:
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.