Your HIPAA privacy and security officer's checklist probably looks something like this:
That's a pretty good snapshot at the HIPAA checklist these days, in light of new federal laws and regulations in the past year and a compliance date looming in February (when BAs must comply with the security rule; and when OCR will enforce breach notification).
However, those same HIPAA officers should add one more "to-do" to that checklist: Comply with HIPAA's internal sanction regulation. Covered entities must have an internal sanctions policy for HIPAA violations.
Some facilities may have rock-solid policies that have been battle-tested. Others need some work, especially in light of new federal sanctions for HIPAA violations, including monetary fines that could total millions at the discretion of the HHS secretary.
HITECH placed violations into tiers:
The lower the tier, the higher the monetary fine, all controlled by the HHS secretary.
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer, St. Dominic Jackson Memorial Hospital, Jackson, MS, says covered entities should consider the HITECH tiers when shaping their internal sanctions policy.
Boggan also spoke at an HCPro, Inc.-hosted an audio conference, "HIPAA Internal Sanctions: Adapt Your Policy to Comply with the HITECH Act," Thursday, December 3.
"Be ever-vigilant in watching for new developments in the year to come," Boggan told HealthLeaders Media. "And be flexible when revising existing policies and procedures so that you not only meet the obligations of the current language revisions, but you are also able to quickly address any additional additions, deletions, or changes to your policies to comply with these ever-changing regulations."
Nancy Davis, privacy/security officer, Ministry Health Care, Sturgeon Bay, WI, and the other speaker on the audio conference, tells HealthLeaders Media, "I would stress that the development of written guidance to address the severity of the incident and the appropriate sanction level goes a long way in promoting consistency when applying HIPAA sanctions to all members of the work force."