HIPAA Sanction Policy

HIPAA Sanction PolicyDo you have a HIPAA sanction policy?  I find this to be an easy, necessary policy that everyone should have.  Plus, it is required.  I think there is a lack of understanding with the HIPAA sanction policy.  Some people are not too sure what it means.  Here is the meaning of a HIPAA sanction policy.

68 Federal Register 8377 45 CFR 164.308 (a)(1)(ii)(C)

You must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.  This is a requirement.  A sample policy might look like this:

Sample HIPAA Sanction Policy

Policy: Our practice has implemented a security sanction policy to safeguard confidential health information in oral, written, and electronic forms. Workforce members are responsible for complying with the practice’s policies and procedures. Failure to do so may result in disciplinary action, up to and including termination of employment.

Procedures: All workforce members will receive training on our policies and procedures prior to adoption of new policies or modification of existing policies.

As part of new employee orientation, all new workforce members will participate in a minimum 1-hour one-on-one policies and procedures training session with our privacy and security officials.

Sanctions on failure to comply with our policies and procedures are as follows:

  1. Upon first noncompliant event, the workforce member’s supervisor and one member of the physician staff will have a private conversation with the workforce member and review the appropriate policy and procedure to be certain the workforce member understands the policy.
  2. Upon the second noncompliant event, the supervisor and office administrator will have a private conversation with the workforce member, and a letter of remediation will be placed in the employee’s personnel file.
  3. Upon the third noncompliant event for the same activity, the workforce member will be sent home for 3 days without pay.

4. Upon the fourth non compliant event, employee will be terminated.


This is just one example of a HIPAA Sanction Policy.  For a full manual of HIPAA policies and procedures, contact Tier3MD.

For more information on HIPAA Polices and Procedures, click here.