HIPAA Regulations: The Administrative Requirements: Sanctions - § 164.530(e)
As Contained in the HHS HIPAA Rules
HHS Regulations |
-
Standard: sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This standard does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of § 164.502(j) or paragraph (g)(2) of this section.
-
Implementation specification: documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.
HHS Description The Administrative Requirements: Sanctions |
In § 164.518(e) of the NPRM, we proposed to require all covered entities to develop, and apply when appropriate, sanctions against members of its workforce who failed to comply with privacy policies or procedures of the covered entity or with the requirements of the rule. Covered entities would be required to develop and impose sanctions appropriate to the nature of the violation. The preamble stated that the type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination. The NPRM preamble language also stated that covered entities would be required to apply sanctions against business associates that violated the proposed rule.
In the final rule, we retain the requirement for sanctions against members of a covered entity's workforce. We also require a covered entity to have written policies and procedures for the application of appropriate sanctions for violations of this subpart and to document those sanctions. These sanctions do not apply to whistleblower activities that meet the provisions of § 164.502(j) or complaints, investigations, or opposition that meet the provisions of § 164.530(g)(2). We eliminate language regarding business associates from this section. Requirements with respect to business associates are stated in § 164.504.
HHS Response to Comments Received The Administrative Requirements: Sanctions |
Comment: Commenters argued that most covered entities already have strict sanctions in place for violations of a patient's privacy, either due to current laws, contractual obligations, or good operating practices. Requiring covered entities to create a formal sanctioning process would be superfluous.
Response: We believe it is important for the covered entity to have these sanction policies and procedures documented so that employees are aware of what actions are prohibited and punishable. For entities that already have sanctions policies in place, it should not be problematic to document those policies. We do not define the particular sanctions that covered entities must impose.
Comment: Several commenters agreed that training should be provided and expectations should be clear so that individuals are not sanctioned for doing things that they did not know were wrong or inappropriate. A good faith exception should be included in the final rule to protect these individuals.
Response: We agree that employees should be trained to understand the covered entity's expectations and understand the consequences of any violation. This is why we are requiring each covered entity to train its workforce. However, we disagree that a good faith exception is explicitly needed in the final rule. We leave the details of sanctions policies to the discretion of the covered entity. We believe it is more appropriate to leave this judgment to the covered entity that will be familiar with the circumstances of the violation, rather than to specify such requirements in the regulation.
Comment: Some commenters felt that the sanctions need to reach business partners as well, not just employees of the covered entities. These commenters felt all violators should be sanctioned, including government officials and agencies.
Response: All members of a covered entity's workforce are subject to sanctions for violations, including government officials who are part of a covered entity's workforce. Requirements for addressing privacy violations by business associates are discussed in §§ 164.504(e) and 164.530(f).
Comments: Many commenters appreciated the flexibility left to the covered entities to determine sanctions. However, some were concerned that the covered entity would need to predict each type of violation and the associated sanction. They argue that, if the Department could not determine this in the NPRM, then the covered entities should be allowed to come up with sanctions as appropriate at the time of the violation. Some commenters wanted a better explanation and understanding of what HHS' expectation is of when is it appropriate to apply sanctions. Some commenters felt that the sanctioning requirement is nebulous and requires independent judgment of compliance; as a result it is hard to enforce. Offending individuals may use the vagueness of the standard as an defense.
Response: We agree with the commenters that argue that covered entities should be allowed to determine the specific sanctions as appropriate at the time of the violation. We believe it is more appropriate to leave this judgment to the covered entity, because the covered entity will be familiar with the circumstances of the violation and the best way to improve compliance.
Comment: A commenter felt that the self-imposition of this requirement is an inadequate protection, as there is an inherent conflict of interest when an entity must sanction one of its own.
Response: We believe it is in the covered entity's best interests to appropriately sanction those individuals who do not follow the outlined policies and procedures. Allowing violations to go unpunished may lead bigger problems later, and result in complaints being registered with the Department by aggrieved parties and/or an enforcement action.
Comment: This provision should cover all violations, not just repeat violations.
Response: We do not limit this requirement to repeat offenses.