A HIPAA Information Security Policy Template is a form document that relates to a particular area of HIPAA Security Rule compliance. The document provides information and guidance on what a covered entity or business associate must do to comply with that area of the Security Rule. For example, a HIPAA Security Policy and Procedure Manual can contain an Information Security Policy Template for Employee Sanctions. The Employee Sanctions Policy contains language about how and when to apply sanctions to employees who have violated an organization’s Security Policies and Procedures.

What Should be Included in an Information Security Policy Template?

For a healthcare organization or business associate to meet HIPAA Security Rule compliance, the organization must be able to demonstrate it has policies addressing the Security Rule’s administrative, technical, and physical safeguards. Each of these safeguards contains required standards.

Is your organization secure?  Download the free cybersecurity eBook to get tips on how to protect your patient information.

The Security Rule administrative safeguard requirements include, for example, a security management process standard. Under this standard, covered entities and business associates must implement policies and procedures to prevent, detect, contain, and correct security violations.

The administrative safeguard regulation contains specifications for how an organization is to implement these policies and procedures. One specification requires that an organization apply appropriate sanctions (disciplinary measures) against workforce members who fail to comply with the security policies and procedures of their employer.

An information security policy template addressing the sanctions requirement will state what the organization’s sanctions policy is, when it applies, to whom it applies, and how it applies.

The sanctions policy will state that its terms apply to a workforce member who has violated a security policy or procedure of the organization. The policy will then set out the various levels of sanctions. Sanctions for an employee who fails to comply with the organization’s policies and procedures can range anywhere from a verbal warning to termination of employment. Once the sanctions policy sets forth the levels of sanctions, the policy then specifies what level of sanction applies to a given violation.

For example, an employee who accidentally views PHI he or she is not authorized to view may receive a milder sanction, such as a verbal or written warning, if the viewing was of limited duration, and caused no damage to the organization. An employee that commits this same infraction of accidental viewing, but who does so for the third time, where the viewing causes damage to the organization (i.e., someone sees the exposed PHI and shares it with people outside of the workforce), may receive a more severe sanction, such as a one-week suspension. An employee who deliberately accesses PHI without authorization , causing damage to the organization in the process, can face the sanction of termination of employment.

By having a sanctions policy that all of its employees must read, an organization has a mechanism for discipline that is administered on an even-handed and uniform basis. The policy,  in addition to including the types of sanctions and offenses that can result in sanctions, can set forth a grievance process. That is, if an employer wants to develop a system for employees to appeal a disciplinary action, the employer can include a step-by-step appeal procedure in the sanctions policy. This procedure would outline what types of discipline can be appealed, when an appeal must be made, what must be included in the appeal, and when the organization must make a decision on the appeal.

Having information security policy templates ensures an organization’s workforce understands the organization’s security policies and procedures, and knows what is expected of it under those policies and procedures.