Here is an example from Section IV - Sanctions, addressing sanctions for when employees fail to comply with the policies and procedures:

SANCTIONS

PURPOSE

To ensure there are appropriate sanctions that will be applied to employees who violate the requirements of the HIPAA Privacy Rule and/or the Office=s HIPAA privacy policies and procedures.

POLICY

It is the policy of this Office to discipline employees who fail to comply with the Office=s policies and procedures regarding HIPAA.

PROCEDURE

1. When a concern arises regarding a possible violation of HIPAA or the Office=s policies or procedures related to HIPAA, the Office Privacy Official shall begin an investigation promptly. (See the Policy AComplaints@ regarding conducting an investigation.)

2. If, at the conclusion of the investigation, it is found that a violation of the Office=s policy or procedure has occurred, the employee involved shall be disciplined in accordance with the severity of the violation and the Office's disciplinary policy. Violations can be classified according to intent such as:

a. Level I Violations are those made accidentally or due to a lack of education.

b. Level II Violations are serious violations that are found to show purposeful disregard of Office policy.

3. The Office Privacy Official shall review the circumstances surrounding any substantiated violation and take appropriate action to mitigate, to the extent possible, any harmful effects of the violation.

4. Documentation from the investigation shall be given to the Office Privacy Official to be maintained as a part of the Office=s HIPAA documentation and retained for six years.

5. The disciplinary action report documenting the employee=s violation shall be placed in the employee's personnel file as well as a copy provided to the Office Privacy Official.