Tip: Make employee training match duties. Stopping a data breach incident and retrieving the compromised records is just the start of mitigation requirements under the Health Insurance Portability and Accountability Act (HIPAA). The law also requires you to levy sanctions on staffers who cause inappropriate protected health information (PHI) disclosures under HIPAA. Background: According to the Health and Human Services (HHS) Office for Civil Rights (OCR), “Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident,” the agency explains in the October 2023 edition of the Cybersecurity Newsletter. Don’t miss: Sanction policy is a requirement under both the HIPAA Privacy and Security Rules. Cultivating an environment where employees understand their responsibilities to keep PHI secure while also feeling safe to report suspicious activity is critical to a successful HIPAA compliance plan. Read on for advice on developing a sanction policy for your organization.
Immediately Educate Staff on the Sanction Policy Workers need to know upfront and preferably during training about what they’ll face for HIPAA-related infractions. Onboarding materials should include an overview of the sanction policy. “Everyone who is going to be interacting with PHI should be trained upon hiring,” says attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida. “The training should be tailored to their particular job responsibilities, and the training should include references to the sanctions policy.” Reminder: OCR allows practices free rein to design and implement their training programs and sanction policy; however, many practices don’t have qualified staff to compile the HIPAA training resources nor the funds. One positive is that “HIPAA is flexible and scalable,” Hartsfield says. “A good place to start would be with existing human resources policies.” Allocate Fair Sanctions for the Level of Violation Setting up a sanction policy can be a tricky business. If the plan is too stringent, employees will be less likely to report incidents for fear of censure or job loss. However, if the consequences are too lenient, staff may not respect the rules with the loss of PHI or ePHI inevitable. As you design your policies, ensure that the penalty fits the violation. “HIPAA requires ‘appropriate sanctions,’” explains Hartsfield. “Generally, it may not be appropriate to immediately jump to employment termination if someone makes an innocent mistake. If every little HIPAA misstep, no matter how unintentional, results in someone losing their job, no one is going to report problems that could otherwise be resolved or not allowed to fester.” Do this: “A sliding scale can be a reasonable way to approach violations,” Hartsfield recommends. “Depending on the nature of the improper use or disclosure of PHI or other compliance failure, a lesser sanction for a first offense could be appropriate. Consequences could escalate from there.” Compliance: Open lines of communication and equitable policies elevate compliance, too, says HIPAA expert Jim Sheldon-Dean, founder, and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Establishing trust and showing that the organization treats security issues fairly are key to organizational success with sanctions. Where there is found to be an intentional violation, disciplinary action is a learning moment for other staff, and where there is an accidental violation, it’s a learning moment for the organization,” Sheldon-Dean asserts. “What can we do better to keep this from happening again? Make issues a positive, and praise those who find them, as well as fix them,” he says. Re-educate: Additional training should be a part of the sanction policy. “Sometimes documented counseling is an appropriate sanction,” Hartsfield expounds. “A sanction could involve re-training the people involved, or even looking at whether an entire department should be retrained to make sure that potentially systemic problems don’t continue.”
Sheldon-Dean agrees. “If it’s accidental but the employee should have known, the incident needs examination as to the cause of the issue.” He suggests asking, “Is there a training deficiency? Do systems or processes encourage such mistakes? How widespread a problem is this?” However, punitive action “may be appropriate if an employee has already been warned about an accidental issue and nobody else is having the same problem,” Sheldon-Dean maintains. Factor Remote Work Into Your Sanction Plan, Too The combination of remote work, the use of personal devices, and decreased information technology (IT) budgets make it harder to regulate data security — and that makes implementing a sanction policy more complicated. Risk assessment and analysis are critical components of compliance planning as required under the HIPAA rules and can help you address the intersection of remote work and sanction policymaking. “Covered entities (CEs) should document the risks relating to remote work and how those will be mitigated,” Hartsfield says. Then they should implement systems and processes to require secure connections when remote workers access PHI. CEs should also audit and monitor remote workers for compliance. Tip: Employing security safeguards like multi-factor authentication from the start can thwart potential security issues both in the office and for remote workers, Sheldon-Dean says. “This makes access more consistent across the organization for all roles and simplifies a lot of IT headaches. If there are still policy violations, see if access can be tightened, and use the incident as a training moment,” he advises. Resource: Find the OCR Cybersecurity Newsletter at www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2023/index.html.