Home Health & Hospice Week

5 tips for creating and maintinaing an effective HIPAA sanctions policy.

Whether it's the penalty box, the pillory or the paddy wagon, every system of rules and regulations requires its own set of punitive measures -- and HIPAA is certainly no exception. According to both the privacy and security rules under the Health Insurance Portability and Accountability Act, employers must "apply appropriate sanctions" against any workforce members who fail to follow privacy or security policies. Of course, this doesn't mean the Centers for Medicare & Medicaid Services or the HHS Office for Civil Rights is forcing you to fire anyone who violates HIPAA in the slightest, says attorney Nancy Armatas with the Chicago firm of Popovits & Robinson. But you do need to have a disciplinary policy in place that lets employees know that HIPAA violations are serious business, she explains. While HIPAA requires all covered entities to maintain a sanctions policy, the reg doesn't prescribe how such a policy should be fashioned or enforced. For advice on establishing an effective sanctions policy in your home care organization, check out five tips from these HIPAA experts: 1. Don't reinvent the wheel. Traditionally, disciplinary policies have been the domain of HR departments, explains Margret Amatayakul, president of Schaumburg, IL-based MargretA Consulting. Consequently, HIPAA privacy or security officers should definitely check first with their HR departments or coordinators to determine what types of sanctions may already be in place to address privacy violations, she recommends. "My advice is to piggyback onto your existing HR sanction policy and process. You don't have to reinvent the wheel," says Suzy Buckovich, a managing consultant with IBM Business Consulting Services in Bethesda, MD. 2. Take a tiered approach. Any type of sanctions policy that addresses behaviors relevant to HIPAA should be set up as a "progressive" or "tiered" policy, advises Gwen Hughes, a consultant with Chicago-based Care Communications. This means your sanctions policy should establish varied levels of punishment, ranging from verbal warnings to further training to termination.
When creating this progressive disciplinary system, it's vital to supply examples of the types of behaviors that would be deemed inappropriate under your HIPAA privacy and security policies, adds Amatayakul. The intent is not to create a complete list of all behaviors that would be considered infractions under HIPAA, but to provide employees with a range of several specific actions that would merit specific sanctions, she says. 3. Educate your staff. A sanctions policy can't be effective unless your employees are aware that the sanctions exist. Therefore, use your HIPAA training or general orientation sessions to make sure your workforce knows that privacy and security violations carry very real penalties. This doesn't mean you have to recite your sanctions [...]