Tip: Ensure employees receive training equivalent to their duties. Stopping a data breach incident and retrieving the compromised records is just the start of mitigation requirements under the HIPAA. The law also requires you to levy sanctions on staffers who cause inappropriate protected health information (PHI) disclosures under HIPAA. Context: According to the HHS Office for Civil Rights (OCR), a sanction policy is “an important tool for supporting accountability and improving cybersecurity and data protection,” the agency maintains in the October 2023 OCR Cybersecurity Newsletter. “Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident,” OCR advises. Not only is a sanction policy a useful device that lets employees know from the get-go that there will be consequences for noncompliance, but it’s also a requirement under both the HIPAA Privacy and Security Rules. Cultivating an environment where employees understand their responsibilities to keep PHI secure while also feeling safe to report suspicious activity is critical to a successful HIPAA compliance plan.
Read on for advice on developing a sanction policy for your organization. Allocate Sanctions That Are Fair and Applicable to the Level of Violation Setting up a sanctions policy can be a tricky business. If the plan is too stringent, employees will be less likely to report incidents for fear of censure or job loss. However, if the consequences are too lenient, staff may not respect the rules with the loss of PHI or ePHI inevitable. As you design your policies, ensure that the penalty fits the violation. “HIPAA requires ‘appropriate sanctions,’” explains attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida. “Generally, it may not be appropriate to immediately jump to employment termination if someone makes an innocent mistake. If every little HIPAA misstep, no matter how unintentional, results in someone losing their job, no one is going to report problems that could otherwise be resolved or not allowed to fester.” Open lines of communication and equitable policies elevate compliance, too, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Establishing trust and showing that the organization treats security issues fairly are key to organizational success with sanctions. Where there is found to be an intentional violation, disciplinary action is a learning moment for other staff, and where there is an accidental violation, it’s a learning moment for the organization,” Sheldon-Dean asserts. “What can we do better to keep this from happening again? Make issues a positive, and praise those who find them, as well as fix them,” he proposes. Consider this: Dedicating time and money to creating the training materials and educating staff on HIPAA rules is important; subpar training may lead to compliance failures — and sanctions. She adds that additional education should be a part of the sanction policy, too. “Sometimes documented counseling is an appropriate sanction,” Hartsfield expounds. “A sanction could involve re-training the people involved, or even looking at whether an entire department should be retrained to make sure that potentially systemic problems don’t continue.” Sheldon-Dean agrees. “If it’s accidental but the employee should have known, the incident needs examination as to the cause of the issue.” He suggests asking, “Is there a training deficiency? Do systems or processes encourage such mistakes? How widespread a problem is this?” However, “sanctions may be appropriate if an employee has already been warned about an accidental issue and nobody else is having the same problem,” Sheldon-Dean maintains.
Not all HIPAA violations are the same; therefore, the how, what, where, and why of PHI/ePHI loss should factor into the sanction decision-making process. “A sliding scale can be a reasonable way to approach violations,” Hartsfield recommends. “Depending on the nature of the improper use or disclosure of PHI or other compliance failure, a lesser sanction for a first offense could be appropriate. Consequences could escalate from there.” That’s why “every ‘accidental’ issue needs a careful evaluation to see what can be done within policies, procedures, and systems to encourage the correct behavior in the future,” Sheldon-Dean says. Make Staff Education on Sanction Policy a Priority Workers need to know upfront and preferably during training about what they’ll face for HIPAA-related infractions. Onboarding materials should include an overview of the sanction policy. “Everyone who is going to be interacting with PHI should be trained upon hiring,” Hartsfield says. “The training should be tailored to their particular job responsibilities, and the training should include references to the sanctions policy.” Resource: Find the OCR newsletter at www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2023/index.html. Kristin J. Webb-Hollering, BA, CPCO, Development Editor III