Help with HIPAA Compliance
Help with HIPAA Compliance
Helping you understand the complexities of compliance under the HIPAA Security and Privacy Rules. Our team of experts in regulatory compliance can answer any questions you may.
Colington Consulting

HIPAA Security Compliance: What is Your Sanction Policy?

3/31/2014 11:02:05 AM   |   Comments: 0   |   Views: 3952

Sanction policy? It sounds like what one country would do to another country to apply political pressure. Regrettably, that is the terminology the government is using when it comes to this section of HIPAA Security Rule compliance. The sanction policy (CFR 164.308(a)(1)(iii)(C) must be part of the overall security management process.  

Maybe a better way to approach this requirement is to think of it as your office disciplinary policy. Appropriate sanctions must be in place so that your entire staff understands the consequences of failing to comply with security policies and procedures in order to prevent a breach of patient records from occurring. You should provide examples of potential violations of office policy and procedures along with your office disciplinary actions. As a prerequisite to employment, have employees sign a statement of adherence to your current policies and procedures in place. Make it clear for all to understand.

If disciplinary action must be taken, it may be helpful to follow what I call my three D’s.

  1. Be DECISIVE. Whoever in your practice is enforcing policy and procedures (most likely the designated HIPAA Security Official) will need to take immediate action. Do not delay.

  2. Be DIRECT. Let your employee know this is not personal. Your practice has a requirement to protect patient records. You should reference any documentation provided in your security awareness training to remind the employee of his/her obligations.

  3. Practice DUE DILIGENCE. It is incumbent that there be written policy in place and all staff be aware of your office requirements. You must be consistent in the way you enforce these critical policies, no matter who in your practice is at fault.

Should your practice be the focus of a HIPAA compliance review, a lot of attention will be placed on your sanction policy. Your sanction policy must be included in your HIPAA Risk Management Plan. It is always recommended you review and update sanction policy and procedures on a regular basis.

Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General.  In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.

His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans.  The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft. 

Please contact Jay with any questions you have at


More Like This

Total Blog Activity

Total Bloggers
Total Blog Posts
Total Podcasts
Total Videos


Townie Perks

Townie® Poll

Do you have a human resources generalist in the office?

Site Help

Sally Gross, Member Services
Phone: +1-480-445-9710

Follow Dentaltown

Mobile App



9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 · Phone: +1-480-598-0001 · Fax: +1-480-598-3450
©1999-2019 Dentaltown, L.L.C., a division of Farran Media, L.L.C. · All Rights Reserved