§164.530(e)(1) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This standard does not apply to a member of the covered entity’s workforce with respect to actions that are covered by and that meet the conditions of § 164.502(j) or paragraph (g)(2) of this section.
(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.
Audit Inquiry
Does the covered entity apply appropriate sanctions against members of the workforce who fail to comply with the privacy policies and procedures of the entity or the Privacy Rule?
Obtain and review policies and procedures to determine if the entity has and applies sanctions consistent with the established performance criterion.
Obtain and review documentation of the application of sanctions to a sample of workforce members to determine whether appropriate sanctions were applied. (Note: OCR is not looking for violations in order to take enforcement action; we are restricting our analysis to whether appropriate sanctions consistent with the entity policies have been applied.)