Overview:
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
Action Items:
1) Obtain and review documentation of the sanction policies and procedures (which could be an aspect of a larger code of conduct). Evaluate if they contain a reasonable and appropriate process to sanction workforce members for failures to comply with the entity's security policies and procedures. Elements to review may include, but are not limited to, the following: personnel involved in the sanction process; required steps and time periods; notification steps; reasons for sanctions; identification of the sanctions applied to compliance failures; documentation of the sanction outcome.
2) Obtain and review documentation demonstrating sanctions against workforce members. Evaluate and determine whether appropriate sanctions were applied for workforce members that failed to comply with security policies and procedures.
Related Documents:
1) Documentation of the sanction policies and procedures
2) Documentation demonstrating sanctions against workforce members.
Additional Guidance:
Appropriate sanctions must be in place so that workforce members understand the consequences of failing to comply with security policies and procedures, to deter noncompliance.
Sample questions for covered entities to consider:
- Does the covered entity have existing sanction policies and procedures to meet the requirements of this implementation specification? If not, can existing sanction policies be modified to include language relating to violations of these policies and procedures?
- Does the organization require employees to sign a statement of adherence to security policy and procedures (e.g., as part of the employee handbook or confidentiality statement) as a prerequisite to employment?
- Does the statement of adherence to security policies and procedures state that the workforce member acknowledges that violations of security policies and procedures may lead to disciplinary action, for example, up to and including termination?
- Does the sanction policy provide examples of potential violations of policy and procedures?
- Does the sanction policy adjust the disciplinary action based on the severity of the violation?
Article ID: 436
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-sanction-policy-164-308-a-1-ii-c-436.html