Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies.

The healthcare industry continues to sit at or near the top of lists of industries affected by data breaches, whether caused by cyber criminals or self-inflicted wounds. These data breaches can take many forms – ransomware, social engineering, snooping, misdirected patient data, responding to patient complaints, tracking technologies, etc. as observed by the Office for Civil Rights – with human error behind many of them. In its October 2023 Newsletter, the OCR points to sanctions policies as an “important tool” for supporting accountability and improving cybersecurity and data protection.

In August 2022, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief. The brief explores various tactics employed by hackers to infiltrate healthcare information systems and recommended several measures to combat social engineering, including holding “every department accountable for security.” This means having and implementing sanctions policies.

HIPAA expressly requires sanctions policies. Written sanction policies are required under both the HIPAA Privacy and Security Rules:

  • The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule].” 45 CFR 164.530(e)(1).
  • The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” 45 CFR 164.308(a)(1)(ii)(C).

The OCR notes that sanction policies can play a pivotal role in fostering a culture of HIPAA compliance and enhancing cybersecurity. The knowledge that noncompliance comes with negative consequences acts as a powerful deterrent. Educating employees about the organization’s sanction policy reinforces their understanding of compliance obligations and the repercussions of noncompliance.

Yes, but what should they say? Fortunately, the HIPAA rules and the OCR’s interpretation of those rules have consistently permitted flexibility in sanctions policies due to the diverse nature of healthcare organizations. However, while this flexibility means no specific penalties or methodologies are required, there appears to be an expectation that some sanction would be imposed in many cases involving a data breach.

The OCR reminds the healthcare community that some of its enforcement actions have been based on violations of HIPAA’s sanction policy requirement. In one case, the OCR settled with an allergy center for $125,000 and a corrective action plan. The settlement was based on allegations that a doctor improperly discussed a patient’s PHI with a reporter, and that the allergy center…

“failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media”

When putting together a sanctions policy, there is no one-size-fits-all approach. Indeed, covered entities and business associates may structure their sanction policies in the manner most suitable to their organization. However, the OCR offers the following items to consider when drafting or updating the policy:

  • Documenting or implementing sanction policies through a formal process.
  • Requiring workforce members to acknowledge that policy violations may result in sanctions.
  • Detailed documentation of the sanction process, including personnel involved, procedural steps, timeframes, reasons for sanctions, and investigation outcomes.
  • Tailoring sanctions to the nature and severity of the violation.
  • Adapting sanctions based on factors such as intent, severity, and patterns of improper use or disclosure.
  • Offering a range of sanctions, from warnings to termination.
  • Providing examples of potential policy violations.

By considering these elements, regulated entities can craft well-documented sanction policies that communicate expectations clearly, deter misconduct, and promote compliance. But, as noted above, it is not enough to have a sanctions policy, it must be implemented. Implementation means, among other things:

  • Delegating the process of imposing sanction appropriately, which may mean involving the Human Resources, Compliance, and/or the Legal departments.
  • Ensuring that the sanctions policy is administered consistently.
  • Documenting the sanctions process.
  • Retaining records of the sanctions process for six years under the HIPAA retention rule.

Sanction policies are not just a compliance requirement; they are a valuable tool for healthcare organizations to establish clear compliance obligations, hold workforce members accountable, and maintain the privacy and security of PHI. In an era marked by heightened cybersecurity threats, it is essential that regulated entities prioritize sanction policies to ensure HIPAA compliance. By doing so, they can create a culture of accountability, understanding, and transparency, ultimately safeguarding sensitive health information from potential breaches and threats.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.