HIPAA Sanction Policy: Who Needs to Sign?

By: Dr. Jeff Brown | updated on

Quick answer...every workforce member must sign a HIPAA sanction policy if you are to be compliant with the HIPAA.

A sanction policy is a contract in which workforce members agree to protect the confidentiality, integrity, and availability of sensitive information at all times. The policy also details imposed sanctions on any individual who accesses, uses, or discloses sensitive information without proper authorization.

Before looking at the HIPAA sanction policy itself, you need to know what "workforce member" means. A workforce member is anyone whose conduct is under the direct control of the covered entity or business associate and whose job involves the use of patient information. Examples include:

  • Providers
  • Employees
  • Therapists
  • Volunteers
  • Spouse or other family members

Independent contractors can be a little tricky. As a general rule, if a contractor is with you long term and you have direct control over his or her conduct, then they are most likely a workforce member. This holds true even when someone else pays the contractor's salary. However, if they are short term and do the same or similar work in other businesses, e.g., vacation coverage, then they are likely a business associate.

After determining who within your office is a workforce member, be sure to obtain a signed HIPAA sanction policy agreement from each person. It's ideal to have new workforce members sign the policy before they are given access to PHI.

It has been my experience many offices don't know about the sanction policy requirement. If you fall into this category, get a sanction policy signed by everyone as soon as possible. HIPAA believes late is always better than never.

The sanction policy itself should be included in your HIPAA policies and procedures manual, and should also be a part of annual HIPAA staff training.

Good news... because you'll be reviewing the HIPAA sanction policy every year during staff training, you only need to get the actual sanction policy document signed one time per workforce member. Here is a sample sanction policy document. This particular sample is very close to the original posted on the HealthIT.gov website within the recommended Information Security Policy Template (policies and procedures manual).

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice.

Read More Articles

Watch HIPAA Webinars