The Power of Clearly Communicated Sanction Policies in HIPAA Compliance

Sanctions were the focus of the October 2023 Office for Civil Rights Cybersecurity Newsletter. The article states, “An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failure to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.”

Adequate and thorough training is an essential component to all employee on-boarding and continued employment. One critical topic to discuss is sanctions, because the HIPAA Privacy and Security Rules both require sanction policies. Talking to employees about sanctions, or penalties for not following state, federal, or local laws or pharmacy-specific rules, helps to reinforce an employee’s understanding of the importance of taking their training seriously and understanding the consequences of non-adherence.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • The HIPAA Privacy and Security Rules were designed to allow for flexibility in implementation methods depending on the size, resources, and relative risk of the covered entity; this flexibility extends to sanction polices so be sure to tailor your policy to your pharmacy’s specific needs
  • Sanctions must be handed out in a consistent manner to demonstrate equitable punishment across all levels of staff; inequitable punishments could weaken the integrity of the pharmacy’s compliance program
  • Current PAAS National® FWA/HIPAA Compliance Program members can refer to Sections 8, 10.12, and 11.3.3 in their Policy & Procedure Manual for more information on sanctions, violations, disciplinary actions, and corrective actions
  • Maintain all HIPAA-related documentation for a minimum of six years after the last effective date
Sara Hathaway, PharmD