Assigning a HIPAA Security Officer is one of the mandates of HIPAA as indicated in 45 CFR § 164.308 (a) (2). It specifically states "Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart ['Administrative safeguards'] for the covered entity or business associate."
One of the major responsibilities of a Security Officer is leading the organization in preparation for Security Incidents, and formulating and implementing Sanction Policy.
A Security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (45 CFR § 164.304).
Security Incidents may vary on their degree of severity, from what an organization's policy may categorize as marginal incidents, serious incidents, or severe and grave incidents. The organization may also classify a Security Incident as "Intentional" or "Unintentional." The third classification that can also be considered is the frequency and interval of the incident, such as, "Second Security Incident employee infraction in 24 months."
It is crucial for an organization to determine and categorize or classify a Security Incident so that they may have a carefully formulated, prepared, and well-thought-out Sanction Policy.
If there is one thing that we may count on the HIPAA mandate, is that an organization MUST always anticipate, strategize, and create "a plan of action" – in other words, "Policies and Procedures." Formulating a Sanction Policy is one of them.
45 CFR § 164.308 (a) (1) (ii) (C) of the Administrative safeguards states "Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate."
In other terms, each organization must have a disciplinary action policy and procedures applicable to each corresponding infraction.
Security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system
45 CFR § 164.304
The sanction will vary depending on the type or classification of the employee's violation, as an example:
HIPAA does not impose particular labels for the categorization of Security Incidents of each organization, and the corresponding Sanctions that the latter should adopt and enforce. This stems from the principle that each organization's set-up and resources may vary from one another. However, prudent and methodical planning, coupled with ethical judgment must be observed as these are formulated.
Let us end this brief discussion, with a sample scenario and a question, to practice knowledge and familiarity of your organization’s Sanction Policies as it relates to Security Incidents.
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate
45 CFR § 164.308 (a) (1) (ii) (C)
Jessica, an LPN, has been working for 3 years at ABC Hospice. She sees a newly admitted patient, who happens to be her former neighbor. Although Jessica is not directly involved in the care of this particular patient, she took it upon herself to view said patient's medical records including the patient's health history and current medical management records. When the unit supervisor found out about this incident and asked Jessica why she viewed the patient's chart, Jessica replied, "I know the patient, we used to be good neighbors."
If you are the unit supervisor in the mentioned scenario, what will be your next step?
If you are not sure of your answer(s), this might be a good time to check with your HIPAA Security Officer and check your organization’s Sanction Policy.