Sanction policy? It sounds like what one country would do to another country to apply political pressure. Regrettably, that is the terminology the government is using when it comes to this section of HIPAA Security Rule compliance. The sanction policy (CFR 164.308(a)(1)(iii)(C) must be part of the overall security management process.
Maybe a better way to approach this requirement is to think of it as your office disciplinary policy. Appropriate sanctions must be in place so that your entire staff understands the consequences of failing to comply with security policies and procedures in order to prevent a breach of patient records from occurring. You should provide examples of potential violations of office policy and procedures along with your office disciplinary actions. As a prerequisite to employment, have employees sign a statement of adherence to your current policies and procedures in place. Make it clear for all to understand.
If disciplinary action must be taken, it may be helpful to follow what I call my three D’s.
-
Be DECISIVE. Whoever in your practice is enforcing policy and procedures (most likely the designated HIPAA Security Official) will need to take immediate action. Do not delay.
-
Be DIRECT. Let your employee know this is not personal. Your practice has a requirement to protect patient records. You should reference any documentation provided in your security awareness training to remind the employee of his/her obligations.
-
Practice DUE DILIGENCE. It is incumbent that there be written policy in place and all staff be aware of your office requirements. You must be consistent in the way you enforce these critical policies, no matter who in your practice is at fault.
Should your practice be the focus of a HIPAA compliance review, a lot of attention will be placed on your sanction policy. Your sanction policy must be included in your HIPAA Risk Management Plan. It is always recommended you review and update sanction policy and procedures on a regular basis.
Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.
His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.
Please contact Jay with any questions you have at jhodes@colingtonsecurity.com.