DIY: HIPAA Enforcement

by Adam Bullian | Jan 25, 2018 | Healthcare Compliance

Female doctor drawing a graph on hospital's workflow.jpeg

I frequently write about HIPAA enforcement by the Office for Civil Rights at the U.S. Department of Health and Human Services ("OCR"). However, there is another aspect of HIPAA enforcement that occurs more frequently and hits closer to home.That is when your organization must be the ones enforcing HIPAA by way of implementing your violations and sanctions policy.

Commonly Used Practices for Enforcing HIPAA

Our focus on HIPAA enforcement is primarily what happens when a breach or suspected breach happens.  However, enforcement by the organization itself has the potential of occurring much more frequently because a breach is not required or even suspected.  An organization is required to essentially enforce HIPAA when a member of its workforce violates a HIPAA related policy or procedure.  The organization enforces HIPAA when it imposes a sanction on the workforce member in question in accordance with the organization's sanction policy.  Every policy violation may not beget termination (assuming the policy does not say it must), but repeated or egregious violations may.  The 'enforcement' may be simply retraining the individual on the policy that was violated.  The important thing to keep in mind is a sanction must be imposed pursuant to the sanction policy.  Best practice is to have a flexible sanction policy that allows for less severe sanctions when the situation warrants, but preserves the organization's ability to terminate when appropriate.  Failure to sanction an offending workforce member according to the policy would effectively cause the organization to be out of compliance.  

Don't Risk it, Fix it

While enforcement at the organization level is often overlooked, it is a critical aspect of effective implementation of a HIPAA compliance program.  It also reinforces to your workforce that policy violations are taken seriously and handled consistently. Otherwise you risk your workforce having a lax attitude about PHI safeguards and senselessly putting PHI at risk.   

Learn More About Best Practices for HIPAA:

Emergency Preparedness Best Practices

Take The Gray Out Of HIPAA - Risk Analysis Will Help

Download Free Ebook


Compliance and security are complex, but they don't have to be hard to comprehend. Check out our resources page for more educational ebooks, presentations, infographics, and more!

View All Resources

Our resources are compiled by our experts here at QI Express. With backgrounds in information technology consultation, IT systems design, audits, law, and patient-facing clinical roles, our team is able to leverage a unique scope of experience to deliver the most comprehensive educational material possible.