Medicare Compliance & Reimbursement

HIPAA:

Don’t Skimp On Sanction Policymaking, Feds Warn

Tip: Ensure employees receive training equivalent to their duties.

When a data breach occurs, there’s more to an organization’s mitigation duty than merely retrieving the records and stopping the incident. That’s where a sanction policy comes into play. Your mitigation efforts must extend to the sanctions you levy on staffers who cause inappropriate protected health information (PHI) disclosures under HIPAA, regardless of their intent.

Context: According to the HHS Office for Civil Rights (OCR), a sanction policy is “an important tool for supporting accountability and improving cybersecurity and data protection,” the agency maintains in the October 2023 OCR Cybersecurity Newsletter. “Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident,” OCR advises.

Not only is a sanction policy a useful device that lets employees know from the get-go that there will be consequences for noncompliance, but it’s also a requirement under both the HIPAA Privacy and Security Rules. Cultivating an environment where employees understand their responsibilities to keep PHI secure while also feeling safe to report suspicious activity is critical to a successful HIPAA compliance plan.

Read on for advice on developing a sanction policy for your organization.

Allocate Sanctions That Are Fair and Applicable to the Level of Violation

Setting up a sanctions policy can be a tricky business. If the plan is too stringent, employees will be less likely to report incidents for fear of censure or job loss. However, if the consequences are too lenient, staff may not respect the rules with the loss of PHI or ePHI inevitable. As you design your policies, ensure that the penalty fits the violation.

“HIPAA requires ‘appropriate sanctions,’” explains attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida. “Generally, it may not be appropriate to immediately jump to employment termination if someone makes an innocent mistake. If every little HIPAA misstep, no matter how unintentional, results in someone losing their job, no one is going to report problems that could otherwise be resolved or not allowed to fester.”

An overly punitive sanction policy may curtail staff from coming forward when accidents happen, especially if management aren’t held to the same standards. And when that happens, privacy and security may be impacted. For example, “it would not be appropriate to fire a lower-level worker without hesitation for something that the company’s CEO has also done without being fired,” Hartsfield cautions.

Open lines of communication and equitable policies elevate compliance, too, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Establishing trust and showing that the organization treats security issues fairly are key to organizational success with sanctions. Where there is found to be an intentional violation, disciplinary action is a learning moment for other staff, and where there is an accidental violation, it’s a learning moment for the organization,” Sheldon-Dean asserts.

“What can we do better to keep this from happening again? Make issues a positive, and praise those who find them, as well as fix them,” he proposes.

Consider this: That’s why dedicating time and money to create the training materials and educating staff on the HIPAA rules is important; subpar training may lead to compliance failures — and sanctions. “If training is lacking, the organization should look at who is responsible for the training, and whether sanctions are appropriate in that circumstance for not appropriately implementing HIPAA’s training requirement,” Hartsfield says. “The organization should also consider who is authorized to impose sanctions, and whether they truly have that authority within the organization.”

She adds that additional education should be a part of the sanction policy, too. “Sometimes documented counseling is an appropriate sanction,” Hartsfield expounds. “A sanction could involve re-training the people involved, or even looking at whether an entire department should be retrained to make sure that potentially systemic problems don’t continue.”

Sheldon-Dean agrees. “If it’s accidental but the employee should have known, the incident needs examination as to the cause of the issue.” He suggests asking, “Is there a training deficiency? Do systems or processes encourage such mistakes? How widespread a problem is this?”

However, “sanctions may be appropriate if an employee has already been warned about an accidental issue and nobody else is having the same problem,” Sheldon-Dean maintains.

Not all HIPAA violations are the same; therefore, the how, what, where, and why of PHI/ePHI loss should factor into the sanction decision-making process. “A sliding scale can be a reasonable way to approach violations,” Hartsfield recommends. “Depending on the nature of the improper use or disclosure of PHI or other compliance failure, a lesser sanction for a first offense could be appropriate. Consequences could escalate from there.”

That’s why “every ‘accidental’ issue needs a careful evaluation to see what can be done within policies, procedures, and systems to encourage the correct behavior in the future,” Sheldon-Dean says.

Factor Remote Work Into Your Sanction Plan, Too

The combination of remote work, the use of personal devices, and decreased IT budgets make it harder to regulate data security — and that makes implementing a sanction policy more complicated with additional elements to consider. Risk assessment and analysis are critical components of compliance planning, are required under the HIPAA rules, and can help you address the intersection of remote work and sanction policymaking, suggests Hartsfield.

“Covered entities should document the risks relating to remote work and how those will be mitigated. Covered entities can implement systems and processes to require secure connections when remote workers access PHI, and these entities should also be auditing and monitoring remote workers and how they comply with the policies and procedures,” she says. “Sanctions may be required for noncompliance.”

Tip: Employing security safeguards like multi-factor authentication from the start can thwart potential security issues both in the office and for remote workers, Sheldon-Dean says. “This makes access more consistent across the organization for all roles, and simplifies a lot of IT headaches. If there are still policy violations, see if access can be tightened, and use the incident as a training moment,” he advises.

Educate Staff on the Sanction Policy Immediately

Workers need to know upfront and preferably during training about what they’ll face for HIPAA-related infractions. Onboarding materials should include an overview of the sanction policy.

“Everyone who is going to be interacting with PHI should be trained upon hiring,” Hartsfield says. “The training should be tailored to their particular job responsibilities, and the training should include references to the sanctions policy.”

Reminder: OCR allows practices free rein to design and implement their training programs and sanction policy; however, many practices don’t have qualified staff to compile the HIPAA training resources nor the funds. One positive is that “HIPAA is flexible and scalable,” Hartsfield says. “A good place to start would be with existing human resources policies.”

Since OCR permits CEs to determine their own “sanction methodology” based on the scope and scale of their organizations, there’s room for a nuanced approach to policymaking, the agency says in the Cybersecurity Newsletter. “Regulated entities may structure their sanction policies in the manner most suitable to their organization.”

Bottom line: Once your sanction policy is in place, however, that doesn’t mean HIPAA training and analysis end. Though standards must be followed and issues managed, compliance continues to evolve based on human error, new technologies, and more.

If issues continue to arise, Sheldon-Dean suggests you ask, “Why are the violations happening? Can we improve processes and remove the need for the violation?”

“In many ways the analysis is easier as systems become more integrated and accessed uniformly, but there will always be improvements to be made,” he observes. “You need to enlist your staff to help you find the weaknesses in your processes and let them know they’ll be rewarded, not punished, for finding flaws in the organization. As technologies and society change quickly today, you need to be flexible and forgiving while your staff and your organization catch up,” Sheldon-Dean says.

Resource: Find the OCR newsletter at www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2023/index.html.