Home Health & Hospice Week

Whether it's the penalty box, the pillory or the paddy wagon, every system of rules and regulations requires its own set of punitive measures -- and HIPAA is certainly no exception.

According to both the privacy and security rules under the Health Insurance Portability and Accountability Act, employers must "apply appropriate sanctions" against any workforce members who fail to follow privacy or security policies.

Of course, this doesn't mean the Centers for Medicare & Medicaid Services or the HHS Office for Civil Rights is forcing you to fire anyone who violates HIPAA in the slightest, says attorney Nancy Armatas with the Chicago firm of Popovits & Robinson. But you do need to have a disciplinary policy in place that lets employees know that HIPAA violations are serious business, she explains.

While HIPAA requires all covered entities to maintain a sanctions policy, the reg doesn't prescribe how such a policy should be fashioned or enforced. For advice on establishing an effective sanctions policy in your home care organization, check out five tips from these HIPAA experts:

1. Don't reinvent the wheel. Traditionally, disciplinary policies have been the domain of HR departments, explains Margret Amatayakul, president of Schaumburg, IL-based MargretA Consulting. Consequently, HIPAA privacy or security officers should definitely check first with their HR departments or coordinators to determine what types of sanctions may already be in place to address privacy violations, she recommends.

"My advice is to piggyback onto your existing HR sanction policy and process. You don't have to reinvent the wheel," says Suzy Buckovich, a managing consultant with IBM Business Consulting Services in Bethesda, MD.

2. Take a tiered approach. Any type of sanctions policy that addresses behaviors relevant to HIPAA should be set up as a "progressive" or "tiered" policy, advises Gwen Hughes, a consultant with Chicago-based Care Communications. This means your sanctions policy should establish varied levels of punishment, ranging from verbal warnings to further training to termination.

When creating this progressive disciplinary system, it's vital to supply examples of the types of behaviors that would be deemed inappropriate under your HIPAA privacy and security policies, adds Amatayakul.

The intent is not to create a complete list of all behaviors that would be considered infractions under HIPAA, but to provide employees with a range of several specific actions that would merit specific sanctions, she says.

3. Educate your staff. A sanctions policy can't be effective unless your employees are aware that the sanctions exist. Therefore, use your HIPAA training or general orientation sessions to make sure your workforce knows that privacy and security violations carry very real penalties.

This doesn't mean you have to recite your sanctions policy to employees verbatim or overload them with more HIPAA information. In HIPAA training sessions she's conducted, Armatas informs employees that a "violation of any HIPAA policy is considered something that could subject them to disciplinary action, up to and including termination." Staffers who want more information can refer to their HR manuals, but at the very least, they've been notified that you take HIPAA violations very seriously, she states.

4. Coordinate your process. Before reprimanding someone for a HIPAA violation, you'll need to know all the facts surrounding a suspected infraction. This means your procedures for meting out sanctions should be closely tied to your other HIPAA procedures and processes.

Additionally, keep in mind that "you can't sanction whistleblowers and you can't retaliate against somebody for filing a complaint," reports Armatas. "Although these may be rare situations, you do have to be careful that before you discipline someone, you know whether they have brought any sort of complaint or whether they have any complaints they could bring against the organization," she says.

5. Watch for trends and reexamine policies. One of the most significant aspects of a sanctions policy is that it enables you to gauge how well employees understand their duties under HIPAA.

Since you're required to document all applied sanctions, the types of sanctions you impose (and the frequency with which you levy such sanctions) should give you an idea of how you might improve HIPAA compliance, suggests Hughes. Finally, reexamine your sanctions policies and definitions as time goes on, urges Armatas.