Ensuring Fair and Consistent Staff Sanctions
Healthcare organizations must ensure that their sanctions policies for internal privacy and security breaches are consistent, fair, and objective for all staff members. Organizations that fail to do so send a confusing message to staff, compromise their privacy and security programs, and lose public trust.
The May practice brief “Sanction Guidelines for Privacy and Security Breaches” offers recommendations for the internal application of sanctions related to information privacy and security breaches for healthcare organizations that manage or service protected health information or individually identifiable health information.
The brief includes a sample sanctions determination document that organizations can customize for their investigations and trending. Each incident requires appropriate investigation along with managerial discretion to declare a misdeed.
“No two healthcare organizations will approach sanctioning and enforcement for privacy and security breaches in exactly the same way,” the authors write. “Each healthcare organization needs to show a demonstrated, consistent ability to deal with privacy and security issues in its own way to ensure consumer trust. Inherent to privacy and security professional roles is a firm leadership commitment to consistent policy and enforcement and sanction application for noncompliance.”