Health Information Compliance Alert

HIPAA Sanctions:

8 QUESTIONS TO ASK WHEN DRAFTING HIPAA SANCTION POLICIES

Privacy and compliance officers everywhere are making lists of what constitutes a violation of the privacy rule within their organizations, and though the rules haven't yet been finalized, there are some questions you should ask yourself when drafting your own list of privacy rule sanction policies.

The Health Insurance Portability and Accountability Act privacy requirements mandate that all covered entities "develop and apply when appropriate sanctions for failure to comply with policies or procedures of the covered entity" or with the requirements of the NPRM. Anyone who has regular contact with protected health information is subject to sanctions, as well as the covered entity's business partners.

The notice mandates that covered entities develop and impose sanctions "appropriate to the nature of the issue." Types of sanctions that may be applied would vary according to factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicates a "pattern or practice of improper use or disclosure" of PHI.

While HIPAA will certainly undergo a meta-morphosis in the coming months as the rules trudge ever closer to finalization, the language in the rule lends flexibility to those whose duty it is to create a list of sanctions. In the rule, the Department of Health and Human Services noted it had considered specifying particular sanctions for specific violations of privacy policy but had abandoned that approach because "we cannot anticipate every kind of privacy policy issue in advance, [and] we cannot predict the response that would be appropriate" for each violation.

Though this tabula rasa upon which privacy officers may draw up the rules seems somewhat misguided when penalties for failure to comply could mean termination of employment, Bill Sarraille, an attorney with Arent Fox Kintner Plotkin & Kahn says there are several important questions privacy officers should ask themselves when drumming up ideas for potential sanctions:

  • How egregious is the violation itself? One man's misdemeanor is another's blatant transgression. Come up with a system that indicates the severity of any given violation.

  • How intentional or unintentional was the violation? Answering this question is naturally subjective, but privacy officers should be able to gauge the level of intent, says Sarraille.

  • How great was the harm?


  • How fixable is the harm?

  • Has the person in violation of the rules taken responsibility for his or her actions? Also, has the person cooperated in the investigation and in ameliorating the problem, to the extent that the problem could be fixed?

  • How clearly was the person who made the violation put on notice about the issue?; and


  • Is the proposed sanction consistent with what you've done in other circumstances?

    Sarraille tells Eli there are a host of other considerations that must be made in order to remain vigilant and yet equitable with employees who violate HIPAA. He believes the facts and circumstances of the infraction will dictate the level of punishment.

    But since there's a level of subjectivity involved in the process, Sarraille says the last question noted above is crucial for privacy officers to ask themselves, since it's easy to let people's standing in the organization or their economic importance to the company affect one's objective assessment. Doing that would undermine the credibility of what you've done by way of discipline, he warns: "If there's one standard for the higher-ups and another for the lower-down-the-line folks, that immediately reads to the organization as a whole, and the entire compliance process is dismissed cynically."

    And as far as who should be creating the list of sanctions, Sarraille believes in a group effort consisting of a privacy officer and human resources officials, and adds that a privacy committee, if one exists in your institution, should review the proposals before they're put in print. Also, if you have the cash, it can never hurt to hire compliance counsel, whenever possible.

  • Other Articles in this issue of

    Health Information Compliance Alert

    View All