Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies.

The healthcare industry continues to sit at or near the top of lists of industries affected by data breaches, whether caused by cyber criminals or self-inflicted wounds. These data breaches can take many forms – ransomware, social engineering, snooping, misdirected patient data, responding to patient complaints, tracking technologies, etc. as observed by the Office for Civil Rights – with human error behind many of them. In its October 2023 Newsletter, the OCR points to sanctions policies as an “important tool” for supporting accountability and improving cybersecurity and data protection.

In August 2022, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief. The brief explores various tactics employed by hackers to infiltrate healthcare information systems and recommended several measures to combat social engineering, including holding “every department accountable for security.” This means having and implementing sanctions policies.

HIPAA expressly requires sanctions policies. Written sanction policies are required under both the HIPAA Privacy and Security Rules:

• The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule].” 45 CFR 164.530(e)(1).
• The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” 45 CFR 164.308(a)(1)(ii)(C).

The OCR notes that sanction policies can play a pivotal role in fostering a culture of HIPAA compliance and enhancing cybersecurity. The knowledge that noncompliance comes with negative consequences acts as a powerful deterrent. Educating employees about the organization’s sanction policy reinforces their understanding of compliance obligations and the repercussions of noncompliance.

Yes, but what should they say? Fortunately, the HIPAA rules and the OCR’s interpretation of those rules have consistently permitted flexibility in sanctions policies due to the diverse nature of healthcare organizations. However, while this flexibility means no specific penalties or methodologies are required, there appears to be an expectation that some sanction would be imposed in many cases involving a data breach.

The OCR reminds the healthcare community that some of its enforcement actions have been based on violations of HIPAA’s sanction policy requirement. In one case, the OCR settled with an allergy center for $125,000 and a corrective action plan. The settlement was based on allegations that a doctor improperly discussed a patient’s PHI with a reporter, and that the allergy center…

“failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media”

When putting together a sanctions policy, there is no one-size-fits-all approach. Indeed, covered entities and business associates may structure their sanction policies in the manner most suitable to their organization. However, the OCR offers the following items to consider when drafting or updating the policy:

• Documenting or implementing sanction policies through a formal process.
• Requiring workforce members to acknowledge that policy violations may result in sanctions.
• Detailed documentation of the sanction process, including personnel involved, procedural steps, timeframes, reasons for sanctions, and investigation outcomes.
• Tailoring sanctions to the nature and severity of the violation.
• Adapting sanctions based on factors such as intent, severity, and patterns of improper use or disclosure.
• Offering a range of sanctions, from warnings to termination.
• Providing examples of potential policy violations.

By considering these elements, regulated entities can craft well-documented sanction policies that communicate expectations clearly, deter misconduct, and promote compliance. But, as noted above, it is not enough to have a sanctions policy, it must be implemented. Implementation means, among other things:

• Delegating the process of imposing sanction appropriately, which may mean involving the Human Resources, Compliance, and/or the Legal departments.
• Ensuring that the sanctions policy is administered consistently.
• Documenting the sanctions process.
• Retaining records of the sanctions process for six years under the HIPAA retention rule.

Sanction policies are not just a compliance requirement; they are a valuable tool for healthcare organizations to establish clear compliance obligations, hold workforce members accountable, and maintain the privacy and security of PHI. In an era marked by heightened cybersecurity threats, it is essential that regulated entities prioritize sanction policies to ensure HIPAA compliance. By doing so, they can create a culture of accountability, understanding, and transparency, ultimately safeguarding sensitive health information from potential breaches and threats.