Overview:
164.530(e)
Sanctions.
All covered entities must sanction workforce members for failing to comply with the Breach Notification Rule.
Action Items:
1) Obtain and review entity policies and procedures to determine if the entity has and applies sanctions consistent with the established performance criterion. Evaluate whether they are consistent with the requirement to sanction a covered entity’s workforce members.
2) Obtain and review documentation of the application of sanctions to a sample of breach notification incidents to determine whether appropriate sanctions were applied. (Note: OCR is not looking for violations in order to take enforcement action; we are restricting our analysis to whether appropriate sanctions consistent with the entity policies have been applied.)
Related Documents:
1) Policies and procedures to determine if the entity has and applies sanctions consistent with the established performance criterion.
2) Documentation of the application of sanctions to a sample of breach notification incidents to determine whether appropriate sanctions were applied.
Additional Guidance:
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Article ID: 601
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-sanctions-164-530-e-601.html