The Office for Civil Rights (OCR) recently offered covered entities and business associates (Regulated Entities) not-so-subtle reminders in its October 2023 Cybersecurity Newsletter that effective sanction policies can encourage HIPAA compliance.
Regulated Entities are required by HIPAA to implement sanction policies in which they impose “appropriate sanctions” against their respective workforce members who fail to comply with the Privacy Rule or Security Rule, the Regulated Entity’s privacy policies and procedures, and/or the Regulated Entity’s security policies and procedures, as applicable. These sanction policies are important administrative safeguards meant to ensure there are objective, documented consequences for HIPAA non-compliance among workforce members. The recent proliferation of social engineering attacks and increasingly sophisticated nature of external cybersecurity threats in health care underscore the importance of Regulated Entities consistently reviewing and applying sanction policies.
Since the Privacy Rule and Security Rule permit Regulated Entities a certain amount of flexibility as to the content of their sanction policies, including penalties and severity of sanctions imposed, OCR included in the Cybersecurity Newsletter the following considerations for Regulated Entities for drafting or revising their sanction policies:
Documenting or implementing sanction policies pursuant to a formal process – Regulated Entities should have separate written policies and procedures explaining how their sanction policies will be enforced.
Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation – As part of their HIPAA Audit Protocol, Regulated Entities will want to review the personnel involved in the sanction process; the required steps and time period (including notification); reasons for the sanction; identification of the sanctions applied to compliance failures; and documentation of the sanction outcome. OCR also recommended that these records should be retained for at least six years.
Creating sanctions that are (i) appropriate to the nature of the violation; (ii) vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information; and (iii) range from a warning to termination – The Privacy Rule requires Regulated Entities, as applicable, to use a flexible approach to sanctions in which they account for the specific details and severity of the violation.
Providing examples “of potential violations of policy and procedures” – To ensure transparency, Regulated Entities should consider including actual examples of potential workforce member violations of the entity’s HIPAA policy and procedures.
OCR noted in the Cybersecurity Newsletter that it has enforced Regulated Entities’ sanctions requirements in the past, including through settlements with a Texas health system in 2017 and an allergy practice in 2018, respectively, to resolve allegations that the entities violated the Privacy Rule’s requirement to impose appropriate sanctions on workforce members who failed to comply with the Privacy Rule and the respective organizations’ policies and procedures.
As is often communicated by OCR, HIPAA policies and procedures are only as effective as the manner in which entities apply them to their organizations. Regulated Entities should regularly review their sanction policies and organizational policies and procedures to assess whether they have implemented and enforced such policies fairly and consistently throughout the organization, to all workforce members, including management.