Guest Poster: John Brewer is the founder of HIPAAaudit.com. He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.
As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.
What exactly is a Sanction Policy?
Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.
First, your practice must have policies. Without knowing the rules, nobody will know if they are breaking them or not.
The computer policies of a practice are the foundation on which your office will operate. The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.
For example:
- Which websites can staff go to during business hours?
- Which websites are completely banned?
- Is your staff allowed to check their personal email on office computers?
These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble
So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?). Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.
This Sanction Policy should cover:
- Initial reaction to a violation
- Document the violation
- Detail the exact violation to the offender
- Document this communication
- Initiate any company checklists that may be required depending on the specific violation
- Secondary reaction to a violation
- Retraining
- Re-attend Annual Awareness Training
- Document this re-training
- Document understanding of the violation
- Retraining
- Repeat violations
- Repeat violations need to be dealt with in a solid and consistent way
- How many repeat violations before termination?
- Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
- Is the training for repeat violations different?
As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.
Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement. As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.
Next time, the Risk Analysis (you guessed it, another HIPAA requirement).
[…] So far we’ve covered Information System Activity Review & Sanction Policy. […]