Is a sanctions policy required by HIPAA?

Yes. 45 CFR §164.308(a)(1)(ii)(C) is a required — not addressable — implementation specification. Every covered entity and business associate must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.

What happens if a workforce member violates HIPAA?

The response depends on the severity, intent, and harm caused. Progressive discipline typically starts with retraining for minor accidental violations and escalates through written warnings, suspension, termination, and referral for criminal prosecution for willful misuse of PHI.

Do we have to fire employees for HIPAA violations?

No. HIPAA requires appropriate sanctions, not specific sanctions. Termination is appropriate for egregious, willful, or repeated violations. For honest mistakes, retraining plus documented counseling is often more appropriate and more likely to change behavior across the workforce.

How long must we retain sanction records?

HIPAA requires retention of policies and documentation for at least six years from creation or last effective date. Individual sanction records should be retained for the same period and kept in a location separate from general HR files so they can be produced on demand during an audit.

HIPAA Sanctions Policy - §164.308(a)(1)(ii)(C) Requirements & Examples

Why a HIPAA sanctions policy matters

HIPAA §164.308(a)(1)(ii)(C) is short but mandatory: covered entities and business associates must "apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate." It is one of the required implementation specifications within the Security Management Process standard — there is no addressable alternative. Either you have a sanctions policy that you actually enforce, or you are out of compliance.

The purpose of the policy is twofold. First, it deters policy violations by making consequences explicit. Second, it creates an auditable record that the organization takes its HIPAA obligations seriously — which matters not only during OCR investigations but also during customer security reviews, where a consistently enforced sanctions policy signals a mature program.

For the broader context of administrative safeguards, see the HIPAA Security Rule guide and the HIPAA hub page.

What the rule actually requires

§164.308(a)(1)(ii)(C) requires three things.

A written sanctions policy that applies to workforce members who fail to comply with security policies and procedures.
Consistent application of that policy when violations occur.
Documentation of sanctions imposed, retained for at least six years.

The rule does not prescribe specific sanctions. OCR guidance and enforcement history make clear that sanctions must be proportionate to the violation, applied consistently regardless of seniority, and documented in a way that survives personnel changes.

The Privacy Rule at §164.530(e) imposes a parallel sanctions obligation for violations of the Privacy Rule. Most programs write a single policy that covers both Security and Privacy Rule violations, which simplifies administration and messaging.

Defining what counts as a violation

A sanctions policy is only enforceable if workforce members know what would trigger it. Your policy should enumerate representative categories of violations, not an exhaustive list.

Unauthorized access to PHI. Looking up a patient, customer, or co-worker's record without a legitimate business reason.
Improper disclosure of PHI. Sharing PHI with a person not authorized to receive it — including family members, friends, or unvetted vendors.
Policy shortcuts. Sharing passwords, disabling multi-factor, using personal email to send PHI, or loading PHI onto unencrypted personal devices.
Failure to report. Knowing about a suspected breach and failing to report it through the documented incident path.
Retaliation. Punishing or discouraging a workforce member who reports a suspected HIPAA violation in good faith.
Willful misuse. Selling, altering, or destroying PHI for personal gain, curiosity, or malice — the category that most often triggers criminal penalties.

Define each category in plain language and reference the underlying HIPAA requirement. That linkage matters: if you later sanction someone for "unauthorized access," the violation cited in the record should be clearly tied to the written policy.

Progressive discipline

Progressive discipline is the most common sanctions structure because it scales fairly across a wide range of violations. A typical ladder looks like this.

Step 1 — Verbal counseling plus retraining

For minor, first-time, accidental violations — for example, a new workforce member sending PHI over unencrypted email because they misunderstood the acceptable use policy — verbal counseling plus targeted retraining is usually appropriate. Document the conversation, the retraining completed, and the workforce member's acknowledgment.

Step 2 — Written warning

For repeated minor violations or a first violation that created real but containable risk, a written warning enters the workforce member's HIPAA file. The warning cites the policy, describes the behavior, and specifies what must change.

Step 3 — Suspension and access review

For significant violations — for example, unauthorized access to the record of a person known to the workforce member — consider suspending system access pending investigation, conducting a full access review, and retraining before reinstatement. Suspension communicates that the organization distinguishes between carelessness and deliberate policy breach.

Step 4 — Termination

For egregious, willful, or repeated violations, termination is the appropriate sanction. Terminations tied to PHI misuse should include immediate revocation of all access, legal review, and consideration of law enforcement referral. Where the facts warrant it, report to OCR under the breach notification rule.

Step 5 — Referral for criminal prosecution

Willful misuse of PHI for personal gain, transfer for commercial advantage, or malicious harm can trigger criminal penalties up to $250,000 and 10 years of imprisonment under 42 USC §1320d-6. Coordinate with counsel before any referral, but do not treat this as theoretical — OCR has publicly pursued these cases.

Consistency is the hardest part

The policy works only if it applies the same way across the organization. OCR resolution agreements consistently cite inconsistent sanctions as evidence of a broken program. Two patterns create the most exposure.

Status asymmetry. A junior employee is sanctioned for accessing a record they should not have seen, while a senior clinician or executive commits the same violation and is counseled informally. The gap undermines every sanction that follows.
Context asymmetry. The same violation is treated as minor when it comes from the CEO's favorite team and serious when it comes from another. Both asymmetries are visible in the long tail of sanction records.

Build a review step into serious sanctions. A short panel — legal, HR, and the privacy or security official — can ensure consistency across cases and create a defensible record of deliberation.

Documentation that survives audit

Your sanctions records should answer five questions without ambiguity.

Who was sanctioned? Keyed to unique workforce identifier.
What happened? A factual narrative of the violation, including systems involved, PHI at risk, and how it was discovered.
Which policy was violated? The specific section of the sanctions policy and any underlying security or privacy policies.
What sanction was applied? The specific action, its effective date, and any conditions (retraining, access review, probation).
Who approved it? Signatures from the approving manager, HR, and — for serious sanctions — the privacy or security official.

Retain these records for at least six years. Keep them in a location separate from general HR files so they can be produced without exposing unrelated personnel information.

How this fits into your HIPAA program

A sanctions policy is part of a connected set of administrative safeguards. It pairs with workforce training, because you cannot fairly sanction a workforce member for a policy they were never taught. It pairs with the minimum necessary rule, because role-based access is only enforceable if violations carry consequences. It pairs with audit controls, because audit logs surface the unauthorized access patterns that sanctions are intended to address.

It also pairs with your breach response. Many sanctions cases begin as incident investigations, and the quality of the investigation — the evidence captured, the systems reviewed, the timeline reconstructed — determines whether the sanction will hold up in a subsequent dispute.

Common pitfalls

Policy in a drawer. A sanctions policy exists, but no one at the organization can name a single case where it was applied. Either violations are being missed or they are being handled inconsistently.
No escalation path. Managers apply informal sanctions on their own without involving HR, legal, or the privacy or security official, creating inconsistent outcomes and poor documentation.
Sanctions are treated as HR-only. The privacy officer learns about a PHI misuse case months later, after OCR reporting windows have closed.
Retaliation risk. A workforce member who reports a suspected violation is later sanctioned for an unrelated performance issue, creating the appearance of retaliation. Separate the processes visibly.
Contractor gaps. The policy covers employees but not contractors with equivalent access, even though HIPAA's definition of workforce covers both.
Missing sanctions for senior staff. No executive has ever been sanctioned, even after clear policy violations. During audits this is a leading indicator of selective enforcement.

How episki helps

episki ties sanctions records directly to the workforce member, the policy they violated, and the systems involved — so sanctions feed your broader HIPAA program instead of living in a siloed HR folder. Pre-built templates cover progressive discipline, documentation requirements, and escalation routing; workflow automation routes serious cases to the privacy or security official; and retention timers keep sanction records available for the full six-year window.

See the full HIPAA platform overview or start a free trial from the top of the hub page.

HIPAA Sanctions Policy