The U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently released updated guidance in its October 2023 Cybersecurity Newsletter emphasizing the importance of sanction policies in maintaining HIPAA compliance. This guidance builds upon a threat brief previously issued in August 2022 by HHS’ Health Sector Cybersecurity Coordination Center (“HC3”). The 2022 HC3 brief outlined various methods hackers use to gain access to health care systems and data, along with recommendations for protective measures. This latest OCR guidance provides further recommendations for establishing effective sanction policies, offering valuable insights for organizations looking to bolster their HIPAA and organizational policy compliance.
Background
Under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”), covered entities and business associates (“regulated entities”) are required to ensure that their workforce complies with these HIPAA Rules. Under both the HIPAA Privacy Rule and Security Rule, in order to ensure such compliance, regulated entities are required to sanction workforce members who violate the organization’s privacy and security policies and procedures. OCR guidance advises that imposing consequences on workforce members who violate the policies or HIPAA Rules can create a culture of HIPAA compliance and improve cybersecurity because negative consequences enhance the likelihood of compliance. Furthermore, educating and training workforce members about the regulated entity’s sanction policy can further promote compliance efforts by proactively outlining prohibited actions and associated disciplinary actions.
What Should Be Included in a Sanction Policy?
OCR acknowledges in the guidance that there is not a one-size-fits-all policy that can effectively address each situation of noncompliance and emphasizes the need for a tailored approach that comports the specific needs of each regulated entity. The overarching objective of the sanction policy is to clearly communicate the regulated entity’s expectations to its workforce, deter misconduct and promote HIPAA compliance. OCR guidance also offers various factors and considerations that regulated entities should contemplate when they are drafting or revising their sanction policies. Some of these key recommendations provided by OCR for regulated entities to consider when drafting or updating their sanction policies include:
- Documenting or implementing sanction policies pursuant to a formal process.
- Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
- Documenting the sanction process, including the personnel involved, the procedural steps, the time period, the reason(s) for the sanction(s) and the final outcome of the investigation (records should be maintained for at least six years under HIPAA).
- Creating sanctions that are “appropriate to the nature of the violation.”
- Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional and whether the violation indicated a pattern or practice of improper use or disclosure of Protected Health Information (“PHI”).”
- Creating sanctions that “range from a warning to termination.”
- Providing examples “of potential violations of policy and procedures.”
Consistent Implementation of the Sanction Policy
Lastly, the OCR guidance notes that regulated entities’ implementation and administration of the sanction policy are equally important to the policy itself. Having fair and consistent enforcement of this policy applied to the entirety of the workforce, including management, will lead to better compliance. Additionally, penalizing or disciplining workforce members’ noncompliance consistently and fairly will deter noncompliance and promote greater protection for the entity, while ineffective enforcement can undermine the integrity of the entity’s compliance program.
Due to the increased threats that the health care industry is seeing through hacking and other breaches involving PHI, regulated entities need to be diligent about ensuring that their policies and practices, including sanction policies, hold all workforce members accountable for noncompliance with HIPAA Rules. Failure to do so can result in unintentional or intentional PHI disclosures that violate HIPAA and can lead to OCR investigations, fines, corrective action plans and/or resolution agreements.
Practical Takeaways
- All regulated entities are mandated to establish sanction policies in accordance with the Privacy and Security Rules of HIPAA.
- Having an effective sanction policy can significantly bolster workforce adherence to HIPAA regulations, thereby fortifying defenses against hacking threats and the unauthorized dissemination of PHI.
- Regulated entities should create or revise their sanction policies in accordance with the key recommendations from OCR-HHS and ensure that sanction documentation is maintained and regularly updated.
- Regulated entities should implement and administer their sanction policies fairly and consistently across their organization.
- Regulated entities should consider whether technology can assist in the fair and equal implementation of organizational policies, but continually seek unbiased solutions. For example, many regulated entities have policies that PHI should only be accessed when there is a business need to do so. Many organizations have been looking to implement artificial intelligence and machine learning technologies to help analyze access logs to alert on suspicious PHI access. While on the surface these tools may provide a defensible justification for fairly applying and enforcing access policies, organizations should ensure they are working with each vendor to ensure the technologies are free from biases – i.e., against a certain job category, work context, type of employee or other categorization.
If you require assistance drafting or updating your entity’s HIPAA sanction policies or would like additional information, please contact:
- Liza R. Brooks at (248) 457-7852 or lbrooks@hallrender.com;
- Kathryn E. Jones at (248) 457-7846 or kjones@hallrender.com;
- Philip R. Davis at (317) 977-1412 or pdavis@hallrender.com;
- Jennifer L. Davis at (248) 457-7827 or jdavis@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
