This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Security Management Process: Sanction Policy (Required)

Reference: 45 CFR 164.308(a)(1)
Last Updated: July 5, 2023


Goal: Apply appropriate sanctions against team members who fail to comply with the security policies and procedures.

The purpose of the Sanction Policy is:

  • To reinforce the practice’s security policies and procedures.
  • To communicate, beforehand, to all team members (employees, agents, contractors, etc) the consequences of violations to the security or privacy rule.
  • To prevent violations from owners, employees, agents and contractors.
  • To ensure fairness when enforcing disciplinary actions across the workforce.


Procedure: Once the Security Officer has knowledge of an alleged unauthorized use or disclosure of ePHI, he or she shall immediately perform the following steps:

  • Begin a thorough investigation of the unauthorized release. It is recommended that the Security Manager uses the “Internal Investigation Form”.
  • If the Security Officer finds that one or more staff members either does not understand or refuses to abide by the existing security policies and procedures, then, it may be necessary for the Security Officer to recommend disciplinary actions against the transgressors.
  • Management shall determine the severity of the disciplinary actions based on the investigation’s findings.
    • Procedural Offense: Re-training on the policies and procedures governing privacy and security as well as a verbal reprimand/counseling. An “Employee Warning Report Form” (see Forms’ Chapter) completion is highly recommended.
    • Significant Offense: Written reprimand from the immediate supervisor.
    • Serious Offense: Suspension from duties without pay, for a period to be determined by the Administrator/Office Manager, but no to exceed two (2) weeks.
    • Critical Offense: Termination of the employee.
  • The Security Officer will document all breaches of privacy or security and retain the documentation for a period of seven years.
  • No member of the workforce will be subject to sanctions for a disclosure of PHI made in good faith in accordance with the following policies:
    • Disclosure of protected health information by “whistleblowers”
    • Disclosures of protected health information by workforce members who are the victims of a crime (See Notice of Privacy Practices).
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram