What are the Sanctions Requirements Under the HIPAA Privacy Rule?

Modified on Tue, 13 Feb at 6:01 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HIPAA Privacy Rule contains a sanctions requirement. Under this requirement, a covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of the Privacy Rue or the Breach Notification Rule. This sanctions rule does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of Privacy Rule section 164.502(j) or paragraph (g)(2) of Privacy Rule section 164.530. These sections pertain to whistleblowers, workforce members who are victims of a crime, and the prohibition on intimidation or retaliation against someone for exercising rights protected by HIPAA.

Covered entities must document sanctions that are applied, if any, in accordance with the Privacy Rule documentation requirement.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article