I frequently write about HIPAA enforcement by the Office for Civil Rights at the U.S. Department of Health and Human Services ("OCR"). However, there is another aspect of HIPAA enforcement that occurs more frequently and hits closer to home.That is when your organization must be the ones enforcing HIPAA by way of implementing your violations and sanctions policy.Commonly Used Practices for Enforcing HIPAA
Our focus on HIPAA enforcement is primarily what happens when a breach or suspected breach happens. However, enforcement by the organization itself has the potential of occurring much more frequently because a breach is not required or even suspected. An organization is required to essentially enforce HIPAA when a member of its workforce violates a HIPAA related policy or procedure. The organization enforces HIPAA when it imposes a sanction on the workforce member in question in accordance with the organization's sanction policy. Every policy violation may not beget termination (assuming the policy does not say it must), but repeated or egregious violations may. The 'enforcement' may be simply retraining the individual on the policy that was violated. The important thing to keep in mind is a sanction must be imposed pursuant to the sanction policy. Best practice is to have a flexible sanction policy that allows for less severe sanctions when the situation warrants, but preserves the organization's ability to terminate when appropriate. Failure to sanction an offending workforce member according to the policy would effectively cause the organization to be out of compliance.
Don't Risk it, Fix it
While enforcement at the organization level is often overlooked, it is a critical aspect of effective implementation of a HIPAA compliance program. It also reinforces to your workforce that policy violations are taken seriously and handled consistently. Otherwise you risk your workforce having a lax attitude about PHI safeguards and senselessly putting PHI at risk.
Learn More About Best Practices for HIPAA: