NRPM: Standards for Privacy of Individually Identifiable Health Information. 9. Sanctions (§164.518(e))


Covered entities would be required to develop and apply sanctions when a member of a covered entity’s work force or business partner fails to comply with the entity’s policies and procedures related to this rule. For a small businesses, these could range from requiring a re-training on privacy, to placing a notation of the violation in an employee’s record, to dismissal or ending a contract with a business partner.