Blog Home Page Next article:

HIPAA Understood: 164.308(a)(1)(ii)(C) Sanction Policy

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.


So, you’ve written some policies, established some standard operation procedures, and defined the do’s and don’ts for your employees. Now how can you ensure your administrative controls are enforceable and taken seriously? The answer is implementing a mechanism for reprimanding those who are found to be in violation of said administrative controls. Not only is this a good practice: it is a requirement of HIPAA as stated in

164.308(a)(1)(ii)(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

As stated, this rule requires that you have a policy which specifies your employees must abide by established administrative controls and if they do not they will be subject to sanctions (punishment). The limitations of the sanctions can be set by the organization, but they will typically include progressive steps beginning with warnings (verbal and written) and progress up to termination or even prosecution depending on the severity of the offense. Now even though there is a progression in place for the sanctions, certain violations will warrant skipping one, several, or all the earlier steps and terminating the employee even on the first offense. I recommend consulting your legal representation when determining sanctions.

Just having these sanctions documented is not enough. You need to ensure that all your employees read, understand, and acknowledge their understanding. There are several methods to approach this, but I recommend one I have seen as tried and true. When employees are onboarded, they are required to read a policy set (or handbook) containing all relevant information pertaining to the organization. the sanction policy should be included in this material, and the employees should sign a statement of understanding. As with everything HIPAA, if it isn’t documented it doesn’t exist.