Both the HIPAA Security Final Rule and the HIPAA Privacy Final Rule require Covered Associates and Business Associates to have and apply sanctions against members of the workforce who violate the respective regulations.  OCR auditors look for these policies and procedures and will consitinue to do so as enforcement amps up.  What’s required and where do you stand?  Have you reminded your workforce of your policy and sanctions?  Learn more…

 

The Privacy Final Rule requirement:

45 CFR § 164.530 (e)(1) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. …

(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.

The Security Final Rule requirement:

45 CFR § 164.308(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
We have seen many and helped organizations create HIPAA Sanctions Policies to cover both Privacy and Security requirements.  They can often be combined into one.  Here’s a reminder / sample of what might be included in heart of the policy.

Sample Sanction Policy Content:

DEFINITION OF OFFENSE:
Class I offenses:
(1) Accessing information that you do not need to know to do your job;
(2) Sharing your computer access codes (user name & password);
(3) Leaving your computer unattended while you are logged into a PHI program;
(4) Sharing PHI with another employee without authorization;
(5) Copying PHI without authorization;
(6) Changing PHI without authorization;
(7) Discussing confidential information in a public area or in an area where the public could overhear the conversation;
(8) Discussing confidential information with an unauthorized person; or
(9) Failure to cooperate with privacy officer.

Class II offenses:
(1) Second offense of any class I offense (does not have to be the same offense);
(2) Unauthorized use or disclosure of PHI;
(3) Using another person’s computer access codes (user name & password); or
(4) Failure to comply with a resolution team resolution or recommendation.

Class III offenses:
(1) Third offense of any class I offense (does not have to be the same offense);
(2) Second offense of any class II offense (does not have to be the same offense);
(3) Obtaining PHI under false pretenses; or
(4) Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm.

SANCTIONS:
Class I offenses shall include, but are not limited to:
(a) Verbal reprimand;
(b) Written reprimand in employee’s personnel file;
(c) Retraining on HIPAA Awareness;
(d) Retraining on Company’s Privacy and Security Policy and how it impacts the said employee and said employee’s department; or
(e) Retraining on the proper use of internal forms and HIPAA required forms.

Class II offenses shall include, but are not limited to:
(a) Written reprimand in employee’s personnel file;
(b) Retraining on HIPAA Awareness;
(c) Retraining on County’s Privacy Policy and how it impacts the said employee and said employee’s department;
(d) Retraining on the proper use of internal forms and HIPAA required forms; or
(e) Suspension of employee (In reference to suspension period: minimum of one (1) day/ maximum of three (3) days).

Class III offenses shall include, but are not limited to:
(a) Termination of employment;
(b) Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or
(c) Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.

It is a “best practice” to have members of your workforce review your Sanction Policy at least annual and sign an acknowledgement of same.

What policies and procedures do you have in place to ensure you are compliant with these required standards and implementation specifications?

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Privacy and Security Reminders – Unique User IdentificationHIPAA Privacy and Security Reminders – Do Not Abuse Your Information System Privileges >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.