MedStack Technology Compliance Policies

Disciplinary process

Appropriate, fair and consistent sanctions can

  • have a deterrent influence on workforce transgressions
  • help prevent breaches of PHI
  • help prevent, or reduce the severity, of compliance violations

Apply appropriate sanctions

  • for significant failures to follow established policies and procedures, or commit various offenses.
  • based on the nature and severity of the error or offense
  • use an escalating scale of sanctions based on the highest category level of risk
  • less severe sanctions applied to less severe errors and offenses
  • more severe sanctions applied to more severe errors and offenses
  • regardless of the employee’s position in the company

Determine sanction severity based on the following factors

  • Exposure: How much external exposure to sanctions for the organization
  • Number involved: How many systems, how much data, how many patients affected, etc.
  • Purpose: Ignorance or lack of education; Snooping or curiosity; Malice, sale, or personal gain
  • Special Protection: Does the incident involve elements with special protection under the law.

Apply sanctions in increasing order of severity

  • Disciplinary process
  • Made an example of
  • Probation
  • Suspension without pay
  • Termination
  • Notify appropriate law enforcement authorities for offenses involving obvious illegal activity.

Do not apply sanctions

  • For investigations of disclosures by whistleblowers or victims of a crime
  • For disclosures of information to an authority as required by law
  • To retaliate in case of permitted investigations and disclosures

Immediate termination is justified for

  • theft of company resources
  • intentional lying or deception
  • drug or alcohol abuse while on the job
  • violence against persons or property

Incidents involving customers or suppliers

  • If the incident poses a threat
    • Limit the access of those involved to protect sensitive assets.
  • Customers
    • Report the incident to the customer organization.
  • Vendors
    • Pursue remedies defined by the contract with the supplier.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.7.2.3Disciplinary process
HIPAA164.308(a)(1)(ii)(C)Sanction policy
SOC2CC1.1COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
SOC2CC1.5COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
SOC2CC1.5COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.