sanction consequencesSanction policies are often vague or even overlooked in many privacy and security programs.  The whole point of a sanction policy is to list out the consequences for failure to follow our policies and procedures.  With a vague or non-existent policy consequences aren’t clear which leads to a lack of concern for failure to follow the policy in the first place.  You will never build a culture that worries about protecting information without it being clear that is a requirement for inclusion in our culture.  How do you sanction?

HIPAA For MSPs by David Sims How Do You Sanction?
00:00:00 00:00:00

Sanction policies are key to making sure any business operates under the business’s operating rules, policies, and procedures.  It is that same thing we always say to kids – Choices and consequences matter, make good choices so you don’t have to deal with the consequences of bad choices.

Does your sanction policy really work, though?  It is the key to making sure the whole program works.

What are sanctions?

One of the things many people overlook is that sanctions can be both good and bad.  It can be used for both permission and punishment.  For example:  This treatment has been sanctioned by the FDA vs The sanctions applied by the FDA include removal of license to practice have to very different meanings.  Of course, we have to look into the nerdy explanation for that type of word.  It is that it is a contronym or auto-antonym.  The same word can mean the opposite of itself.

Under HIPAA law the meaning is clear, however. Sanction means this is what happens if you fail to comply with our policies and procedures.

  • Security Rule
    • Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
  • Privacy Rule
    • (e)(1) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part.

Since both security and privacy rules require these sanctions it would make sense that everyone on your workforce should know it exists and understand what consequences could apply.

The HIPAA law as a whole has a sanction policy which is referred to as the Enforcement Rule.  We just talked about the penalties and how culpability level is used to determine the size of the penalty.  In those definitions there are clear levels of culpability defined that must be used to evaluate the severity of violations which will determine the severity of the penalty (or sanction) applied.

  • Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
  • Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

Why do sanctions matter so much?

Sanctions exist for everything we know as rules we must follow.  Without them the rules (whether it be policy or law) are merely suggestions, are they not?  Choices and consequences – if there are no consequences for your actions will you always follow the rules?

The chances of getting “caught” and the consequences when that happens are directly related to how seriously humans will take any rule.  If there are consequences but ones that you are willing to deal with if it happens, then you are more likely to break that rule than others.  You know what the risk is and you will take your punishment if you get caught.  Kind of like how we all drive the exact speed limits on the highway.

When HIPAA first went into effective the consequences of not following it were not really an effective method of getting people to follow the law.  In fact, most people did less than the minimum because there was no downside to following the requirements.  Since HITECH, that has changed significantly on the sanctions side at least.  But, many people still see this as an acceptable risk to ignore the consequences.  We discuss it all the time how people will say “it won’t happen to me”.

Even if you do get caught you just do the HIPAA videos again and that little test thing.  No big deal.
While we want to believe doing the right thing should be motivation enough, most people need the extra push of negative consequences for failure to do the right thing to push them into doing it.  The number of times we hear how little concern people believe the organization feels for the rules, it is clear the sanction policy is not effective at all.

Staff members have said many things in court records and in the discussions that we have heard with our own ears.  We hear a lot of things that just make you stare with a jaw dropped.

  • As long as you keep your mouth shut you can do anything you want, just lay low and always say you understand.
  • The only way you can get caught is in one of those audits they do and they don’t look at anything other than logins, so don’t worry about it.
  • Even if you do get caught you just do the HIPAA videos again and that little test thing.  No big deal.

The message a lack of serious sanctions sends to your staff means you really don’t care.  You are just showing them that you are simply checking-the-box for compliance requirements.  That’s when we hear things like:

  • Oh yeah, I had to meet with my supervisor to review the policies and procedures and sign off on them again.  They are ok with it they just have to do the paperwork to show we are doing the HIPAA.
  • If the company really did think what he did was wrong they would have fired him.  All they did was have a 30-minute meeting behind closed doors.  He said it was no big deal and the CEO understands sometimes these things happen.

Who do sanctions apply to?

Everyone.  HIPAA explicitly states sanctions must apply to the entire workforce.  The workforce includes everyone which is clearly stated in the law:

Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

Just last year OCR has a settlement with Allergy Associates of Hartford over an improper disclosure by one of the doctors.  One of the major things they did wrong was not sanctioning the doctor for doing what the privacy officer clearly told him not to do.

Who makes the sanction decisions?

Sanction decisions can be tricky in a small organization as well as a large one.  There is a standard process you would expect to see in most organizations.

  • Privacy and/or Security officers investigate the cases. They provide their findings with a recommendation of action based on their findings about the severity and culpability of the case according to the sanction policy.
  • Human Resources and upper management review the findings and recommendations from the investigation.  They take action following any other violation of company policy.

This decision should be handled carefully because failing to sanction properly according to policy basically says that you don’t intend to follow the law.  Your entire workforce will be paying attention.

What should be in your sanction policy?

Just like any other policy that is sensitive like this one.  You need to try to think of everything and get down a written plan.  Your policy should address how you will handle these things:

  • Documentation requirements and methods
    • What are you going to document about the case
    • Where are you going to keep it
      • You need both HIPAA compliance documentation and HR documentation
    • Who gets access to it in both places
    • Who must sign off on the documentation to confirm it is complete and accurate
  • Investigation requirements
    • Who should be involved in the investigations
    • Should the person’s being investigated be suspended or have access cut off during the investigation?
    • Will you record the details on paper or on audio or video?
      • Some of this stuff ends up in legal proceedings
    • How long should the investigation take?
  • Objective rules and subjective options
    • We recommend not having a policy that just says we will address it based on findings and nothing more
    • Create a matrix that addresses things that are both subjective and objective like:
      • Culpability level
        • It is reasonable to believe they really didn’t understand what they were doing was wrong
        • It is clear they tried to figure out what was the right thing to do but made a mistake in their due diligence
        • It was a clear violation of policy but done without intent to violate policy
        • They knew what they were doing was wrong and did it anyway
      • Responsibility level
        • If this person is a leader who must set examples for others then their failures and sanctions set examples also
        • If this is a person with a high level of access or controls like IT folks
      • Number of cases of breaches or violations
        • You can’t tell me the same story two times in a row that you didn’t understand
        • Several minor violations add up to one major one and may have already done so you just have discovered it yet
      • Whether the violation of policy also results in a breach that must be reported
        • If you have to notify it holds way more weight than if it is just a violation of policy
      • Number of staff members involved
        • If there was a group involved then you must act to make a statement
        • If it was just two people but they conspired to do this then make a statement
        • If it was a management person, certainly act with intention to make a statement if the other workforce members are involved and knowledgeable about the case
      • How sneaky was the case
        • Did they use someone else’s credentials to do something?
        • Did they try to cover it up or lie about it or have others lie about?
      • How much did they cooperate with the investigation
  • How to handle the sanction decisions
    • Who makes the final decisions
      • For all employees?
      • For management?
      • For clinical vs administrative vs technical staff
  • How to address sanctions that apply to management or personnel that you are supposed to report the findings for decisions.
    • Who will handle discussing the sanctions to those involved
    • How will you explain to the staff if it is a well-known case
    • What if the sanction includes a termination?

Without these kinds of subjective things in place, there are often no serious consequences.  If you have one of those completely objective policies it is hard to say it will be administered equally across all staff.  In fact, that rarely happens.  It is much easier to stick to something that has hard numbers and consequences but allows you to include other objective mitigating factors.  Of course, you should have factors that could reduce the severity but there are also factors that could increase the severity.

Some business leaders really hate to fire people.  For some, it is because they worry about lawsuits or other issues.  Some worry the ex-employee will retaliate.  Others just don’t want to be “mean” because they know that the employee really needs their job. However, there are no exclusions for you as the business owner for not properly making sure your workforce follows the law.

Everyone will be watching your decisions when it comes to addressing an incident and what sanction you apply.  Make sure you consider what your workforce will learn from how you addressed the problem before making your final decisions.