HIPAA requires hospitals and health systems to sanction employees who don't comply with the healthcare privacy law, DataBreaches.net reported Oct. 20.
The website cited an October HHS cybersecurity newsletter. "An organization's sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection," the agency wrote. "Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident."
HHS noted that sanction policies are required by both the law's privacy rule and security rule.
For simple infractions, the penalties could include a written warning for the first sanction, a week's suspension without pay for the second, and a dismissal for the third, according to TotalHIPAA.