OCR cybersecurity newsletter stresses the importance of sanction policies

The HHS OCR released the October 2023 OCR Cybersecurity Newsletter, providing guidance on the role of sanction policies in enforcing HIPAA compliance and improving cybersecurity.

What's new

The newsletter, titled How Sanction Policies Can Support HIPAA Compliance, offers guidance to healthcare providers on implementing sanction policies in organizations of various sizes. 

The document highlights: 

• HIPAA mandates sanction policies, promoting accountability
• HIPAA offers flexibility for customizing sanction policies
• The importance of clear communication in sanction policies
• Uniform enforcement across the workforce
• Continuous vigilance is needed to safeguard electronic protected health information (ePHI) amid rising cybersecurity risks.

See also: HIPAA Compliant Email: The Definitive Guide

What they're saying

In the newsletter, the OCR highlighted the results of separate investigations in 2017 and 2018. The first case offered the following insight into the repercussions of lacking consistent application of sanction policies: "OCR found evidence that the regulated entity potentially "impermissibly disclosed the patient's PHI through press releases issued to fifteen media outlets and/or reporters," and senior leaders disclosed the patient's PHI to advocacy groups and in a published statement on their website. 

The OCR also found evidence that the regulated entity potentially "failed to document timely the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule."

The second case revealed: "the…OCR found evidence of a potential violation of the sanction requirements when a workforce member allegedly disclosed PHI to a reporter, and then the regulated entity allegedly failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity's privacy policies and procedures and the Privacy Rule."

Related: Can healthcare providers disclose PHI in the media?

Impact on cybersecurity 

The impact of well-implemented sanction policies on cybersecurity in the healthcare sector is substantial. These policies ensure compliance with HIPAA regulations and cultivate a culture of accountability and heightened awareness among healthcare workforce members. By clearly communicating the expectations and consequences of non-compliance, sanction policies promote a proactive approach to cybersecurity. Their flexibility in design and consistent enforcement contribute to an effective defense against evolving threats. 

What's next

The next step is a proactive and comprehensive approach to healthcare cybersecurity. Healthcare providers should continue to refine and implement effective sanction policies to ensure HIPAA compliance, promote accountability, and bolster data protection. They must also stay vigilant in the face of evolving cyber threats, adapting their policies and practices to address emerging risks.