Body Many HIPAA-covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc? These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies.

The healthcare industry continues to sit at or near the top of lists of industries affected by data breaches, whether caused by cyber criminals or self-inflicted wounds. These data breaches can take many forms – ransomware, social engineering, snooping, misdirected patient data, responding to patient complaints, tracking technologies, etc. as observed by the Office for Civil Rights – with human error behind many of them. In its October 2023 Newsletter, the OCR points to sanctions policies as an “important tool” for supporting accountability and improving cybersecurity and data protection.

In August 2022, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief. The brief explores various tactics employed by hackers to infiltrate healthcare information systems and recommends several measures to combat social engineering, including holding “every department accountable for security.” This means having and implementing sanctions policies.

HIPAA expressly requires sanctions policies. Written sanction policies are required under both the HIPAA Privacy and Security Rules:

• The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule].” 45 CFR 164.530(e)(1).
• The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” 45 CFR 164.308(a)(1)(ii)(C).

The OCR notes that sanction policies can play a pivotal role in fostering a culture of HIPAA compliance and enhancing cybersecurity. The knowledge that noncompliance comes with negative consequences acts as a powerful deterrent. Educating employees about the organization’s sanction policy reinforces their understanding of compliance obligations and the repercussions of noncompliance.

Yes, but what should they say? Fortunately, the HIPAA rules and the OCR’s interpretation of those rules have consistently permitted flexibility in sanctions policies due to the diverse nature of healthcare organizations. However, while this flexibility means no specific penalties or methodologies are required, there appears to be an expectation that some sanction would be imposed in many cases involving a data breach.

The OCR reminds the healthcare community that some of its enforcement actions have been based on violations of HIPAA’s sanction policy requirement. In one case, the OCR settled with an allergy center for $125,000 and a corrective action plan. The settlement was based on allegations that a doctor improperly discussed a patient’s PHI with a reporter and that the allergy center…

“failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media”

When putting together a sanctions policy, there is no one-size-fits-all approach. Indeed, covered entities and business associates may structure their sanction policies in the manner most suitable to their organization. However, the OCR offers the following items to consider when drafting or updating the policy:

• Documenting or implementing sanction policies through a formal process.
• Requiring workforce members to acknowledge that policy violations may result in sanctions.
• Detailed documentation of the sanction process, including personnel involved, procedural steps, timeframes, reasons for sanctions, and investigation outcomes.
• Tailoring sanctions to the nature and severity of the violation.
• Adapting sanctions based on factors such as intent, severity, and patterns of improper use or disclosure.
• Offering a range of sanctions, from warnings to termination.
• Providing examples of potential policy violations.

By considering these elements, regulated entities can craft well-documented sanction policies that communicate expectations clearly, deter misconduct, and promote compliance. But, as noted above, it is not enough to have a sanctions policy, it must be implemented. Implementation means, among other things:

• Delegating the process of imposing sanctions appropriately, which may mean involving the Human Resources, Compliance, and/or Legal departments.
• Ensuring that the sanctions policy is administered consistently.
• Documenting the sanctions process.
• Retaining records of the sanctions process for six years under the HIPAA retention rule.

Sanction policies are not just a compliance requirement; they are a valuable tool for healthcare organizations to establish clear compliance obligations, hold workforce members accountable, and maintain the privacy and security of PHI. In an era marked by heightened cybersecurity threats, it is essential that regulated entities prioritize sanction policies to ensure HIPAA compliance. By doing so, they can create a culture of accountability, understanding, and transparency, ultimately safeguarding sensitive health information from potential breaches and threats.

If you’d like to speak to an HR expert about your business, connect with us.

JACKSON LEWIS P.C. (“FIRM”) PROVIDES THE INFORMATION IN THIS POST FOR GENERAL INFORMATIONAL PURPOSES ONLY. THIS POST SHOULD NOT BE RELIED UPON OR REGARDED AS LEGAL ADVICE. NO ONE ACCESSING OR REVIEWING THIS POST, WHETHER OR NOT A CURRENT CLIENT OF THE FIRM, SHOULD ACT OR REFRAIN FROM ACTING ON THE BASIS OF SUCH CONTENT OR INFORMATION, WITHOUT FIRST CONSULTING WITH AND ENGAGING A QUALIFIED, LICENSED ATTORNEY, AUTHORIZED TO PRACTICE LAW IN SUCH PERSON’S PARTICULAR STATE, CONCERNING THE PARTICULAR FACTS AND CIRCUMSTANCES OF THE MATTER AT ISSUE. THE POST MAY NOT REFLECT CURRENT LEGAL DEVELOPMENTS, OR LAWS OR RULES THAT MAY APPLY IN PARTICULAR JURISDICTIONS. THE FIRM AND ITS LAWYERS EXPRESSLY DISCLAIM ALL LIABILITY IN CONNECTION WITH ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OR ALL OF THE CONTENTS OR INFORMATION ACCESSIBLE THROUGH THIS SITE. ANY INFORMATION ABOUT PRIOR RESULTS ATTAINED BY THE FIRM OR ITS LAWYERS IS NOT A GUARANTEE OR WARRANTY THAT A SIMILAR OUTCOME WILL BE ACHIEVED.        

THE FIRM IS NOT RESPONSIBLE FOR THE CONTENT, OPERATION, LINKS, TRANSMISSIONS, OR ANY INFORMATION PROVIDED ON ANY OTHER PART OF ASURE SOFTWARE, INC.’S WEBSITE OR ANY THIRD-PARTY WEBSITE THAT MAY BE ACCESSED BY A LINK FROM THIS WEBSITE.        

NOTHING PROVIDED BY THE FIRM IS INTENDED TO FORM, AND WILL NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP.        

THIS POST MAY BE CONSIDERED ATTORNEY ADVERTISING UNDER THE RULES OF SOME STATES. THE HIRING OF AN ATTORNEY IS AN IMPORTANT DECISION THAT SHOULD NOT BE BASED SOLELY UPON ADVERTISEMENTS.        

STATEMENT IN COMPLIANCE WITH TEXAS RULES OF PROFESSIONAL CONDUCT: UNLESS OTHERWISE INDICATED IN INDIVIDUAL ATTORNEY BIOGRAPHIES, LAWYERS RESIDENT IN THE FIRM’S VARIOUS OFFICES ARE NOT CERTIFIED BY THE TEXAS BOARD OF LEGAL SPECIALIZATION.