The Power of Clearly Communicated Sanction Policies in HIPAA Compliance

Sanctions were the focus of the October 2023 Office for Civil Rights Cybersecurity Newsletter. The article states, “An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failure to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.”

Adequate and thorough training is an essential component to all employee on-boarding and continued employment. One critical topic to discuss is sanctions, because the HIPAA Privacy and Security Rules both require sanction policies. Talking to employees about sanctions, or penalties for not following state, federal, or local laws or pharmacy-specific rules, helps to reinforce an employee’s understanding of the importance of taking their training seriously and understanding the consequences of non-adherence.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

The HIPAA Privacy and Security Rules were designed to allow for flexibility in implementation methods depending on the size, resources, and relative risk of the covered entity; this flexibility extends to sanction polices so be sure to tailor your policy to your pharmacy’s specific needs
Sanctions must be handed out in a consistent manner to demonstrate equitable punishment across all levels of staff; inequitable punishments could weaken the integrity of the pharmacy’s compliance program
Current PAAS National^® FWA/HIPAA Compliance Program members can refer to Sections 8, 10.12, and 11.3.3 in their Policy & Procedure Manual for more information on sanctions, violations, disciplinary actions, and corrective actions
Maintain all HIPAA-related documentation for a minimum of six years after the last effective date

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

Numerous Sumatriptan Formulations Cause Headaches for Pharmacies, & Potential Recoupments - April 14, 2024
Be on the Lookout for Eye Drops Requiring Extra Billing Consideration - March 16, 2024
Employer Pays $4.75 Million after Employee Stole, then Sold, Protected Health Information - March 5, 2024