|
|
This proposed rule is no longer the most current information.
It will continue to be available for reference, but the
final rule has been published. View
the final rule.
|
Proposed Standards for Privacy and Individually Identifiable Health
Information
5. Sanctions. (§ 164.518(e))
In proposed § 164.518(e), we would require all covered entities
to develop and apply when appropriate sanctions for failure to comply
with policies or procedures of the covered entity or with the requirements
of this proposed rule. All members of the workforce who have regular
contact with protected health information should be subject to sanctions,
as would the entity’s business partners. Covered entities would
be required to develop and impose sanctions appropriate to the nature
of the issue. The type of sanction applied would vary depending
on factors such as the severity of the violation, whether the violation
was intentional or unintentional, and whether the violation indicates
a pattern or practice of improper use or disclosure of protected
health information. Sanctions could range from a warning to termination.
We considered specifying particular sanctions for particular kinds
of violations of privacy policy, but rejected this approach for
several reasons. First, the appropriate sanction will vary with
the entity’s particular policies. Because we cannot anticipate
every kind of privacy policy in advance, we cannot predict the response
that would be appropriate when that policy is violated. In addition,
it is important to allow covered entities to develop the sanctions
policies appropriate to their business and operations.
|
 |
 |
