Practice Operations

Sanction Policies: What Has to Happen When a Staff Member Snoops

A medical assistant looks up a neighbor's chart. Nothing is shared, nothing is stolen, and no data leaves the building. HIPAA still requires your practice to have a sanction policy and to apply it. That requirement appears twice, in two different rules, and both times it is mandatory rather than optional. What the rules conspicuously do not do is tell you what the penalty should be — which means the work of a sanction policy is deciding in advance, in writing, and then actually following the thing you wrote.

HIPAA requires a sanction policy twice

This surprises people, and it is the single most useful structural fact about sanctions. There are two separate requirements, in two separate rules, covering two different sets of policies.

Security RulePrivacy Rule
Cite45 CFR 164.308(a)(1)(ii)(C)45 CFR 164.530(e)(1)
LabelRequired implementation specificationStandard
Covers failure to comply withthe security policies and proceduresthe privacy policies and procedures, or the requirements of the subpart
Applies tocovered entities and business associatescovered entities
Documentationvia 164.316(b)164.530(e)(2) — document the sanctions applied, if any

The Security Rule version reads: “Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” It is labeled Required, not Addressable — so there is no documented-alternative route. You do it.

The Privacy Rule version reads: “A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part.”

The snooping MA in the opening sits squarely in the Privacy Rule version and, depending on how it happened, quite possibly the Security Rule version too. In practice most offices write one policy covering both. That is sensible — just make sure its scope actually reaches both, because the two provisions describe different failures.

The rule does not tell you the penalty

Both provisions use one word to describe the sanction: appropriate. That is the entire specification.

There is no mandated first-offense penalty. No required termination for snooping. No federal schedule of offenses and consequences. Anyone who tells you “HIPAA requires termination for X” is describing their own policy, or someone else's, and calling it the law.

This is genuine latitude, and it is also where practices get themselves in trouble — not by choosing the wrong penalty, but by having no scale at all and improvising per incident. Improvisation produces inconsistency, and inconsistency is what looks bad later: two similar incidents, two different outcomes, and no written basis for the difference.

A workable scale distinguishes by intent and consequence, and is written down before you need it:

  • Accidental — opened the wrong chart from a similar name, closed it immediately, reported it. Retraining and a documented conversation.
  • Careless — left a session open at the front desk, shared a password to save time. Formal warning, retraining, and fix the condition that invited it.
  • Curious — deliberately looked up a neighbor, a coworker, an ex, or a local celebrity with no work reason. This is the classic case, and it is intentional. Serious discipline.
  • Malicious — accessed with intent to use, share, or sell. Termination, and this is where you involve counsel about reporting obligations.

Those tiers are a reasonable structure, not a regulatory requirement. The requirement is that you decide, that the decision is written, and that you apply it.

“Have and apply

The Privacy Rule's phrasing is precise and worth dwelling on: have and apply. Two verbs, two obligations.

A binder containing a sanction policy that has never been used is not compliance with a provision requiring you to apply sanctions. The most common failure here is not a bad policy. It is a good policy that management declines to use, usually for entirely human reasons: the employee is well-liked, the practice is short-staffed, the neighbor did not complain, it feels disproportionate.

Those pressures are real. The rule does not care about them, and neither will anyone reviewing your file afterward. The rule requires you to apply appropriate sanctions.

The corollary is a design principle: write a policy you will actually be willing to follow on a bad Tuesday. An unrealistically severe policy is worse than a moderate one, because it will be quietly ignored, and a policy ignored once is a policy that no longer sets any expectation for anyone.

You have to be able to find out

A sanction policy only functions if snooping is detectable, and two Required provisions sit directly behind it.

45 CFR 164.312(b), Audit controls — implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

45 CFR 164.308(a)(1)(ii)(D), Information system activity review (Required) — implement procedures to regularly review records of information system activity, “such as audit logs, access reports, and security incident tracking reports.”

Note the word regularly. Most practices have logs. Far fewer read them on any schedule. A log that is only pulled after a complaint means your detection depends entirely on someone noticing and speaking up — which, for the neighbor-lookup case, is unlikely by construction. Nobody knows to complain about a chart view they never saw.

There is also a dependency worth naming: 45 CFR 164.312(a)(2)(i), Unique user identification, is Required. Shared logins make attribution impossible, and a sanction policy without attribution is unenforceable. If your front desk shares a credential, you do not have a sanctions problem to solve yet — you have an identity problem, and it is upstream of everything in this article.

The other half is training. 164.308(a)(5) requires a security awareness and training program for all workforce members including management, and 164.530(b) requires training on privacy policies and procedures — for each new member within a reasonable period after joining, and for anyone whose functions are affected by a material change in policy, within a reasonable period after the change takes effect. Sanctioning someone for a rule they were never taught is both unfair and hard to defend.

Mitigation is a separate obligation

Disciplining the employee does not close the incident, and this is the step most often skipped.

45 CFR 164.530(f), Mitigation: a covered entity “must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.”

Note that it reaches your business associates' violations too, where the harmful effect is known to you.

On the security side, 45 CFR 164.308(a)(6)(ii), Response and reporting, is Required: identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents known to the entity; and document security incidents and their outcomes.

So an internal snooping incident generates several distinct obligations that people tend to collapse into one: sanction the workforce member, mitigate the harm to the extent practicable, document the incident and its outcome, and separately assess whether it is a breach requiring notification — which is its own analysis under its own rules and is not covered here. Do not let “we handled the employee” stand in for the rest.

The people you cannot sanction

There is a carve-out, it is explicit, and getting this wrong converts an HR decision into a violation.

45 CFR 164.530(e)(1) says the sanctions standard “does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of § 164.502(j) or paragraph (g)(2) of this section.” 164.502(j) is the whistleblower and workforce member crime victim provision.

Alongside it, 164.530(g)(1) prohibits a covered entity from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against any individual for exercising a right established by the subpart, or for participating in a process it provides, including the filing of a complaint.

And 164.530(h) bars requiring individuals to waive their rights as a condition of treatment, payment, enrollment, or eligibility.

Practically: before you sanction anyone in connection with a disclosure, ask whether the conduct was a protected action. An employee who reported a concern is not automatically a policy violator, and treating a complaint as an offense is a distinct violation of 164.530(g)(1) sitting on top of whatever you thought you were addressing.

What to document, and for how long

164.530(e)(2): a covered entity must document the sanctions that are applied, if any.

164.530(j)(1): if an action, activity, or designation is required to be documented, maintain a written or electronic record of it. 164.530(j)(2): retain that documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.

The Security Rule mirrors this at 164.316(b)(2)(i) — six years, same formula — and adds two things worth remembering: 164.316(b)(2)(ii) requires documentation to be available to those responsible for implementing the procedures, and 164.316(b)(2)(iii) requires periodic review and update.

Six years is longer than most staff tenures and longer than most people's memory of why a decision was made. Record enough that a stranger reading the file in 2032 can follow it: what happened, how you found out, what your analysis was, what you decided, what you did to mitigate, and why this outcome fits the policy. That last clause is what makes a pattern of decisions look consistent instead of arbitrary.

Building a policy that survives contact

  1. Cover both rules. Security policies at 164.308(a)(1)(ii)(C) and privacy policies at 164.530(e)(1). One document is fine; check its scope reaches both.
  2. Write the scale before you need it. Intent and consequence are the useful axes.
  3. Write something you will actually apply. The severe policy nobody uses teaches your staff that none of it is real.
  4. Fix detection first. Unique logins, then audit controls, then a review that happens on a schedule.
  5. Train before you enforce — 164.308(a)(5) and 164.530(b), including after material policy changes.
  6. Build in the carve-out check. Protected action? Stop and get advice.
  7. Do the mitigation step, per 164.530(f), and document the incident and its outcome per 164.308(a)(6)(ii).
  8. Document and retain six years — 164.530(j)(2) and 164.316(b)(2)(i).
  9. Apply it consistently, and make the file show why like cases came out alike.

The point of a sanction policy is not to punish people. It is to make the expectation credible before anyone tests it, and to make the response predictable when someone does. A practice where staff know the chart is watched and the rule is real has fewer incidents to sanction, which is the actual goal.

Common questions

Does HIPAA require a sanction policy?

Yes, and it requires one twice. The Security Rule at 45 CFR 164.308(a)(1)(ii)(C) has a Sanction policy implementation specification labeled Required: apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. Separately, the Privacy Rule at 45 CFR 164.530(e)(1) requires a covered entity to have and apply appropriate sanctions against members of its workforce who fail to comply with its privacy policies and procedures or the requirements of the subpart. Neither is addressable. Both are mandatory.

What sanction does HIPAA require for snooping in records?

The rules do not prescribe any specific penalty. Both provisions use the word appropriate and stop there: 45 CFR 164.308(a)(1)(ii)(C) requires appropriate sanctions, and 45 CFR 164.530(e)(1) requires appropriate sanctions. There is no mandated tier of discipline, no required termination, and no schedule of offenses in the regulation. What is required is that you have a policy, that you apply it, and under 45 CFR 164.530(e)(2) that you document the sanctions that are applied, if any.

Do I have to document a sanction if I decide not to discipline someone?

45 CFR 164.530(e)(2) requires a covered entity to document the sanctions that are applied, if any. The phrase if any means the documentation requirement attaches to sanctions that were applied. In practice, recording your analysis and the outcome even when no sanction is imposed is what demonstrates the policy was actually applied rather than ignored, and it evidences consistent treatment across similar incidents. Separately, 45 CFR 164.308(a)(6)(ii) requires you to identify and respond to suspected or known security incidents, mitigate harmful effects to the extent practicable, and document security incidents and their outcomes.

Are there employees you cannot sanction under HIPAA?

Yes. 45 CFR 164.530(e)(1) states the Privacy Rule sanctions standard does not apply to a workforce member with respect to actions that are covered by and meet the conditions of 45 CFR 164.502(j), the whistleblower and workforce member crime victim provision, or 45 CFR 164.530(g)(2). Separately, 45 CFR 164.530(g)(1) prohibits a covered entity from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against an individual for exercising a right under the subpart or for participating in a process it provides, including filing a complaint. Sanctioning someone for a protected action is itself a violation.