1. The policy and procedures should be developed, documented, and approved by organizational leadership including legal, compliance, risk management, human resources, medical staff services, and others as applicable.
2. The policy should be written in a format that can accommodate ongoing updates to reflect modifications to the
regulations, accreditation standards, and other organizational policies, including, but not limited to federal regulations (e.g., HIPAA, HITECH), state regulations (e.g., data
breach notification laws, health codes), and accreditation
standards (e.g., Joint Commission).
3. The policy should be aligned with other related organizational policies and contracts to ensure consistency across
the organization, including, but not limited to, human resources policies and contracts, medical staff bylaws and
rules and regulations, union contracts, vendor contracts,
and business associate agreements.
4. The policy should be subject to defined oversight with
defined reporting responsibility. A possible model would
include an ad-hoc sanctions committee that reports to the
privacy and security committee, which in turn reports to
the compliance and oversight committee, and up to the
audit and compliance committee of the board of trustees
(see the figure “Sample Reporting Structure” on page 70).
5. The policy should be communicated and accessible to all
workforce members (e.g., posted on the organization’s in-tranet, available in policy manual, distributed to staff, and
featured in workforce training).
6. The policy should address the appropriateness of applying
the HITECH breach notification sanctions process if it is
determined that unauthorized access, use, disclosure, or
destruction has occurred.
7. The policy should address investigations of disclosures
made by workforce members who are whistleblowers or
victims of a crime as potential nonviolations. Examples of
these types of disclosures include, but are not limited to, a
workforce member acting on good faith who:
x Believes that the organization has engaged in conduct
that is unlawful or otherwise violates professional or
clinical standards; or believes that the care, services,
and conditions provided by the organization poten-
tially endangers one (or more) patients, workforce
members, or other members of the general public
x Discloses PHI to a federal or state health oversight
agency or public health authority authorized by law
to oversee the relevant conduct or conditions of the
organization
x Discloses PHI to an appropriate healthcare accredi-
tation organization for the purpose of reporting the
allegation of failure to meet professional standards or
misconduct by the organization
x Discloses PHI to an attorney retained by or on behalf
of the workforce member for the purpose of deter-
mining legal options regarding disclosure conduct
Practice Brief
8. The policy should address the organization’s position on
retaliatory action against a workforce member to ensure
it does not intimidate, threaten, coerce, or discriminate
against an individual who participates in the following
activities:
x Files a complaint within the organization
x Files a complaint with the secretary of Health and
Human Services
x Testifies, assists, or participates in an investigation,
compliance review, proceeding, or hearing
x Opposes any act or practice unlawful under state and
federal regulations, providing that the individual act-
ed in good faith believing that the practice was un-
lawful, the manner of opposition was reasonable, and
the individual’s opposition did not involve disclosure
of patient PHI in violation of regulations
9. The policy should address retention of pertinent sanctioning documentation according to state and federal requirements including organizational policy. (Note: the HIPAA
privacy rule requires a minimum retention of six years.)
Defining Workforce Members, Terms, and Process
An organization’s sanctions policy and enforcement provisions
must be broad enough to encompass all workforce members
who have access to PHI that is created and maintained by the
organization.† Workforce members, as defined by HIPAA, in-
clude employees, volunteers, trainees, and other persons whose
conduct in the performance of work for a covered entity is under
the direct control of such entity whether or not they are paid by
the covered entity. This includes, but is not limited to:
Organizations must clearly define key terms in their sanctions
policies, identifying violation categories and their respective
sanctions (based on category). A clear sanction process will en-
able consistent enforcement across the organization.† Consis-
tent enforcement will prevent decisions from being overturned
on appeal both internally and at administrative law hearings.
