HIPAA Sanction Policy: Who Needs to Sign?
Quick answer...every workforce member must sign a HIPAA sanction policy if you are to be compliant with the HIPAA.
A sanction policy is a contract in which workforce members agree to protect the confidentiality, integrity, and availability of sensitive information at all times. The policy also details imposed sanctions on any individual who accesses, uses, or discloses sensitive information without proper authorization.
Before looking at the HIPAA sanction policy itself, you need to know what "workforce member" means. A workforce member is anyone whose conduct is under the direct control of the practice/business and whose job involves the use of patient information. Examples include:
- Spouse or other family members
Independent contractors can be a little tricky. As a (very) general rule, if a contractor is with you long term, and you have direct control over his or her conduct, then they are likely a workforce member. However, if they are short term and do the same or similar work in other businesses, e.g., vacation coverage, then they are likely a business associate.
After determining who within your office is a workforce member, be sure to obtain a signed HIPAA sanction policy agreement from each person. It's ideal to have new workforce members sign the policy before they are given access to PHI.
It has been my experience many offices don't know about the sanction policy requirement. If you fall into this category, get a sanction policy signed by everyone as soon as possible. The HIPAA believes late is always better than never.
Good news... because you'll be reviewing the HIPAA sanction policy every year during staff training, you only need to get the actual sanction policy document signed one time per workforce member. Here is a sample sanction policy document. This particular sample is very close to the original posted on the H.H.S. website.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.