Stay Vigilant to Comply with HIPAA's Internal Sanction Regulation

Your HIPAA privacy and security officer's checklist probably looks something like this:

• Construct a breach notification policy
• Update business associate (BA) contracts
• Find all BAs in the system
• Educate staff members about HITECH Act
• Determine if encryption is necessary to safeguard data flowing through network

That's a pretty good snapshot at the HIPAA checklist these days, in light of new federal laws and regulations in the past year and a compliance date looming in February (when BAs must comply with the security rule; and when OCR will enforce breach notification).

However, those same HIPAA officers should add one more "to-do" to that checklist: Comply with HIPAA's internal sanction regulation. Covered entities must have an internal sanctions policy for HIPAA violations.

Some facilities may have rock-solid policies that have been battle-tested. Others need some work, especially in light of new federal sanctions for HIPAA violations, including monetary fines that could total millions at the discretion of the HHS secretary.

HITECH placed violations into tiers:

• Tier A is for cases in which offenders didn't realize they violated the Act and would have handled the matter differently if they had
• Tier B is for violations "due to reasonable cause, and not to willful neglect," though HHS still must define "reasonable cause"
• Tier C is for infringements that the organization corrected, but were due to willful neglect
• Tier D is for violations due to willful neglect that the organization did not correct

The lower the tier, the higher the monetary fine, all controlled by the HHS secretary.

Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer, St. Dominic Jackson Memorial Hospital, Jackson, MS, says covered entities should consider the HITECH tiers when shaping their internal sanctions policy.

Boggan also spoke at an HCPro, Inc.-hosted an audio conference, "HIPAA Internal Sanctions: Adapt Your Policy to Comply with the HITECH Act," Thursday, December 3.

"Be ever-vigilant in watching for new developments in the year to come," Boggan told HealthLeaders Media. "And be flexible when revising existing policies and procedures so that you not only meet the obligations of the current language revisions, but you are also able to quickly address any additional additions, deletions, or changes to your policies to comply with these ever-changing regulations."

Nancy Davis, privacy/security officer, Ministry Health Care, Sturgeon Bay, WI, and the other speaker on the audio conference, tells HealthLeaders Media, "I would stress that the development of written guidance to address the severity of the incident and the appropriate sanction level goes a long way in promoting consistency when applying HIPAA sanctions to all members of the work force."