Disciplinary process
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2018-04-10
- reviewed: 2018-06-20
Appropriate, fair and consistent sanctions can
- have a deterrent influence on workforce transgressions
- help prevent breaches of PHI
- help prevent, or reduce the severity, of compliance violations
Apply appropriate sanctions
- for significant failures to follow established policies and procedures, or commit various offenses.
- based on the nature and severity of the error or offense
- use an escalating scale of sanctions based on the highest category level of risk
- less severe sanctions applied to less severe errors and offenses
- more severe sanctions applied to more severe errors and offenses
- regardless of the employee’s position in the company
Determine sanction severity based on the following factors
- Exposure: How much external exposure to sanctions for the organization
- Number involved: How many systems, how much data, how many patients affected, etc.
- Purpose: Ignorance or lack of education; Snooping or curiosity; Malice, sale, or personal gain
- Special Protection: Does the incident involve elements with special protection under the law.
Apply sanctions in increasing order of severity
- Disciplinary process
- Made an example of
- Probation
- Suspension without pay
- Termination
- Notify appropriate law enforcement authorities for offenses involving obvious illegal activity.
Do not apply sanctions
- For investigations of disclosures by whistleblowers or victims of a crime
- For disclosures of information to an authority as required by law
- To retaliate in case of permitted investigations and disclosures
Immediate termination is justified for
- theft of company resources
- intentional lying or deception
- drug or alcohol abuse while on the job
- violence against persons or property
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title | Text |
|---|---|---|---|
| ISO | A.7.2.3 | Disciplinary process | There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. |
| HIPAA | 164.308(a)(1)(ii)(C) | Sanction policy | (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with ยง 164.306(a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |