Tip: Ensure employees receive training equivalent to their duties. Data breaches are serious. When one occurs, an organization’s mitigation duty isn’t limited to retrieving the records and stopping the incident. You’ll also need to rely on a sanction policy. Your mitigation efforts must extend to the sanctions you levy on staffers who cause inappropriate protected health information (PHI) disclosures under HIPAA, regardless of their intent. Read on for advice on developing a sanction policy for your organization.
Check Out This Sanction Definition According to the HHS Office for Civil Rights (OCR), a sanction policy is “an important tool for supporting accountability and improving cybersecurity and data protection,” the agency maintains in the October 2023 OCR Cybersecurity Newsletter. “Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident,” OCR advises. Not only is a sanction policy a useful device that lets employees know from the get-go that there will be consequences for noncompliance, but it’s also a requirement under both the HIPAA Privacy and Security Rules. Assign Fair and Reasonable Sanctions Setting up a sanctions policy can be a tricky business. If the plan is too stringent, employees will be less likely to report incidents for fear of censure or job loss. However, if the consequences are too lenient, staff may not respect the rules with the loss of PHI or ePHI inevitable. As you design your policies, ensure that the penalty fits the violation. “HIPAA requires ‘appropriate sanctions,’” explains attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida. “Generally, it may not be appropriate to immediately jump to employment termination if someone makes an innocent mistake. If every little HIPAA misstep, no matter how unintentional, results in someone losing their job, no one is going to report problems that could otherwise be resolved or not allowed to fester.” An overly punitive sanction policy may curtail staff from coming forward when accidents happen, especially if management aren’t held to the same standards. And when that happens, privacy and security may be impacted. Open lines of communication and equitable policies elevate compliance, too, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Establishing trust and showing that the organization treats security issues fairly are key to organizational success with sanctions. Where there is found to be an intentional violation, disciplinary action is a learning moment for other staff, and where there is an accidental violation, it’s a learning moment for the organization,” Sheldon-Dean asserts. “What can we do better to keep this from happening again? Make issues a positive, and praise those who find them, as well as fix them,” he proposes. Consider this: That’s why dedicating time and money to create the training materials and educating staff on the HIPAA rules is important; subpar training may lead to compliance failures — and sanctions. She adds that additional education should be a part of the sanction policy, too. “Sometimes documented counseling is an appropriate sanction,” Hartsfield expounds. “A sanction could involve retraining the people involved, or even looking at whether an entire department should be retrained to make sure that potentially systemic problems don’t continue.”
Not all HIPAA violations are the same; therefore, the how, what, where, and why of PHI/ePHI loss should factor into the sanction decision-making process. “A sliding scale can be a reasonable way to approach violations,” Hartsfield recommends. “Depending on the nature of the improper use or disclosure of PHI or other compliance failure, a lesser sanction for a first offense could be appropriate. Consequences could escalate from there.” That’s why “every ‘accidental’ issue needs a careful evaluation to see what can be done within policies, procedures, and systems to encourage the correct behavior in the future,” Sheldon-Dean says. Make Staff Education on Sanction Policy a Priority Workers need to know upfront and preferably during training about what they’ll face for HIPAA-related infractions. Onboarding materials should include an overview of the sanction policy. “Everyone who is going to be interacting with PHI should be trained upon hiring,” Hartsfield says. “The training should be tailored to their particular job responsibilities, and the training should include references to the sanctions policy.”