In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required.
What to Do
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
How to Do It
The covered entity must determine appropriate internal sanctions or penalties for violation of its security policies and procedures by workforce members. Sanctions should:
» Deter noncompliant behavior, such as posting passwords on computer hardware or under a desk pad.
» Serve as an incentive for compliance with security policies and procedures.
The appropriate sanctions will be suggested by the results of the covered entity’s risk analysis. Sanctions should be in proportion to the covered entity’s estimate of harm that would be anticipated from specific security incidents. For example, posting or sharing a password may appear innocuous, but consider potential harms if an unauthorized user of the password gained access to electronic protected health information and disclosed it publicly.
The covered entity should clearly articulate sanction policies, so that workforce members easily understand consequences of violations of security policies and procedures. Sanctions should apply equally to all workforce members. Workforce members should understand that consequences may include not only disciplinary action within the covered entity, but also civil and possibly criminal enforcement.
The HIPAA Administrative Simplification Privacy Rule also includes an administrative, technical, and physical safeguard standard. The covered entity should make sure that the sanctions pertaining to each Rule are consistent.