In the October edition of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) cybersecurity newsletter, OCR published a memo regarding the use of “sanction policies” to support HIPAA compliance. Sanction policies establish a framework for HIPAA-regulated entities to sanction employees who violate the entities’ privacy policies and procedures. Reiterating thatHIPAA requires regulated entities to adopt sanction policies, OCR’s newsletter provides guidance on how the policies function, and what the policies should look like.