Last year, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief on the different types of social engineering1 that hackers use to gain access to healthcare information systems and data. The threat brief recommended several protective measures to combat social engineering, one of which was holding “every department accountable for security.” An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.
The HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) require covered entities and business associates (“regulated entities”) to ensure that workforce members comply with the HIPAA Rules. Regulated entities are responsible for protecting the privacy and security of protected health information (PHI)4 by training their workforce, adopting written policies and procedures, and sanctioning workforce members who violate those policies and procedures.
Sanction policies are specifically required by both the Privacy Rule and the Security Rule:
- The Privacy Rule requires covered entities6 to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”7
- The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”
The Functions of a Sanction Policy
Sanction policies can improve a regulated entity’s compliance with the HIPAA Rules. Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is “a negative consequence to noncompliance enhances the likelihood of compliance.” Training workforce members on a regulated entity’s sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which “actions are prohibited and punishable.” A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance.
Content: What Should a Sanction Policy Look Like?
Because HIPAA regulated entities “are so varied in terms of installed technology, size, resources, and relative risk,” the HIPAA Rules allow for a flexibility of approach to achieve compliance. This flexibility of approach also extends to sanction policies: the Privacy Rule preamble states that “we leave the details of sanction policies to the discretion of the covered entity . . . [that] will be familiar with the circumstances of the violation . . . .” Similarly, the Security Rule preamble states that regulated entities “have the flexibility to implement the standard in a manner consistent with numerous factors, including such things as, but not limited to, their size, degree of risk, and environment.”
The HIPAA Rules do not require regulated entities to impose any specific penalty for any individual violation, or to implement any particular sanction methodology. Rather, in any individual case “[t]he type and severity of sanctions imposed, and for what causes, must be determined by each covered entity [or business associate] based upon its security policy and the relative severity of the violation.” Regulated entities may structure their sanction policies in the manner most suitable to their organization.
Regulated entities may want to consider the following when drafting or revising their sanction policies:
- Documenting or implementing sanction policies pursuant to a formal process.
- Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
- Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation. NOTE: These records should be retained for at least six years.
- Creating sanctions that are “appropriate to the nature of the violation.”
- Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information.”
- Creating sanctions that “range from a warning to termination.”
- Providing examples “of potential violations of policy and procedures.”
By making these considerations, regulated entities can craft a thoughtful and well-documented sanction policy that informs workforce members of the regulated entity’s expectations, deters misconduct, and promotes HIPAA compliance through greater understanding and transparency of the policies and procedures that protect the privacy and security of PHI.
Execution: Sanctioning Consistently
How a regulated entity implements its sanction policy is just as important as the policy’s content. It is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies, and how the individuals or departments involved in the sanction processes can work in concert, when appropriate. Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization, to all workforce members, including management. Indeed, sanctioning workforce members inconsistently can undermine the integrity of a regulated entity’s compliance program.
In 2017 and 2018, OCR resolved two investigations with regulated entities that potentially violated the HIPAA Rules sanctions requirements. In the first case, OCR found evidence that the regulated entity potentially “impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters,” and senior leaders disclosed the patient’s PHI to advocacy groups and in a published statement on their website. OCR also found evidence that the regulated entity potentially “failed to document timely the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule.” In the second case, OCR found evidence of a potential violation of the sanction requirements when a workforce member allegedly disclosed PHI to a reporter, and then the regulated entity allegedly failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity's privacy policies and procedures and the Privacy Rule.”
Conclusion
Sanction policies offer a great opportunity for regulated entities to establish and communicate compliance obligations and expectations to their workforce members. The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability, understanding, and transparency. At a time when the need for constant vigilance to protect ePHI is at an all-time high due to hacking and other threats to the privacy and security of health information, regulated entities should make sure that their policies and practices include sanction policies that hold all workforce members accountable for noncompliance with the HIPAA Rules.
Reference
HIPAA News Releases & Bulletins
