Group health plans should consider implementing a sanction policy to govern violations of the security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A Security Sanction Policy can be aimed at protecting the confidentiality and integrity of personal health information and other sensitive information about plan participants.
Consider these tips for an effective Security Sanction Policy:
- Identify a line of command. Employees should know whom to contact when they suspect a breach of personal information.
- Identify an individual to investigate claims. Generally, the Security Officer or Privacy Officer should be tasked with conducting a thorough and confidential investigation into the allegations.
- Require documentation. The results of any investigation should be clearly documented. Personal information should be limited or removed from the documentation.
- Implement a corrective action policy. Consider a discipline policy to address violations. The policy can be progressive, up to and including termination of employment. At a minimum, employees found violating policies should be reprimanded (verbal or written, depending on the allegation).
- Consider federal offenses. If warranted, determine if the incident should be reported to the authorities.
- Consider the HITECH breach reporting requirements. Each incident should be reviewed to determine if there is a reporting requirement under the HITECH amendments to HIPAA.
A Security Sanction Policy should be given to and acknowledged by newly hired employees. It should also be redistributed to active employees on a periodic basis. A Security Sanction Policy is a necessary component of security compliance.