This entry is part 25 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

Tell Me More:

The Sanction Policy implementation specification requires covered entities to apply appropriate penalties against workforce members who fail to comply with the security policies and procedures of the entity.

A sanction policy addresses statements regarding disciplinary actions that are communicated to all employees, agents, and contractors.

Sanction policies and procedures must include employee, agent, and contractor notice of civil or criminal penalties for misuse or misappropriation of health information and must make employees, agents, and contractors aware that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure organizations.

The sanction policy is a required implementation specification because:

  • The statute requires covered entities to have safeguards to ensure compliance by officers and employees.
  • A negative consequence to noncompliance enhances the likelihood of compliance.
  • Sanction policies are recognized as a usual and necessary component of an adequate security program.

The type and severity of sanctions imposed, and for what causes, must be determined by each covered entity based on its security policy and the relative severity of the violation.

The final rule requires that sanctions be imposed against members of a covered entity’s and business associates’ workforce. The final rule also requires covered entities to have written policies and procedures for the application of appropriate sanctions for violations of this subpart and to document those sanctions.

Additionally, the DHHS Office of Inspector General believes that a key element of an effective corporate compliance program is the consistent enforcement of policies and procedures to prevent and detect violations of law.  An important facilitator of such enforcement is the imposition of fair and consistent disciplinary mechanisms.

Organizations should include compliance enforcement and discipline as a core theme of their Standards of Conduct, and should also elaborate on such enforcement and discipline through the development and implementation of compliance program policies and procedures.

The Security Rule is committed to the principle of technology neutrality due to the fact that rapidly changing technology makes it impractical and inappropriate to name a specific technology. Therefore, it is deemed much more appropriate for the final rule to state a general requirement for sanctioning of workforce members when necessary and depend on covered entities to specify technical details.

To be most effective, sanctions must be firm, fair and consistent.  By considering factors specific to each case (e.g., as given in this policy), organizations will promote compliance without undue apprehension by the workforce.

A complete set of HIPAA Security Policies and Procedures may be found here.


Series Navigation<< 164.312(e)(1) Technical safeguards – Standard: Transmission security164.308(a)(1)(ii)(D) Standard: Security management process – Information System Activity Review >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.