OCR Reminds HealthCare Orgs of Importance of a Sanctions Policy
In its October 2023 cybersecurity newsletter, the HHS’ Office for Civil Rights reminds HIPAA-regulated entities of the importance of sanctions policies. Sanctions policies help covered entities develop a culture of compliance, improve cybersecurity vigilance, and prevent common HIPAA violations.
A Sanctions Policy is Required for HIPAA Privacy and Security Rule Compliance
HIPAA-covered entities and business associates must ensure that their workforce members receive HIPAA training and are aware of their responsibilities with respect to HIPAA compliance. Workforce members must be trained on HIPAA policies and the importance of ensuring the privacy and security of protected health information. The training that is provided should be relevant to the roles and responsibilities of each employee.
The HIPAA Privacy and Security Rules also require covered entities and their business associates to have a sanctions policy. The HIPAA Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule],” and the HIPAA Security Rule requires covered entities and business associates to “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”
Consequences of HIPAA Violations
The sanctions policy should explain the potential consequences if members of the workforce are found to have violated the HIPAA Rules or the organization’s internal policies. Neither the HIPAA Privacy Rule nor the HIPAA Security Rule specify the specific sanctions if individuals are discovered to have violated the HIPAA Rules, as this is left to the discretion of each regulated entity. Each regulated entity should determine the type and severity of sanctions based on its privacy and security policies and the sanctions should be relative to the severity of the violation. Sanctions may include verbal or written warnings for relatively minor violations and termination for serious violations. Employees should also be made aware that certain HIPAA violations may result in criminal charges.
When members of the workforce have knowledge of the negative consequences of policy and HIPAA violations, they are more likely to comply with internal policies and procedures. While a sanctions policy can act as a deterrent, it is vital that the policy is rigorously and consistently enforced. OCR explains that how the sanctions policy is implemented is just as important as the content of the policy itself.
“Sanction policies offer a great opportunity for regulated entities to establish and communicate compliance obligations and expectations to their workforce members. The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability, understanding, and transparency,” explained OCR in its cybersecurity newsletter. “At a time when the need for constant vigilance to protect ePHI is at an all-time high due to hacking and other threats to the privacy and security of health information, regulated entities should make sure that their policies and practices include sanction policies that hold all workforce members accountable for noncompliance with the HIPAA Rules.”
