• Disciplinary process
  • Metadata
  • Appropriate, fair and consistent sanctions can
  • Apply appropriate sanctions
  • Determine sanction severity based on the following factors
  • Apply sanctions in increasing order of severity
  • Do not apply sanctions
  • Immediate termination is justified for
  • Incidents involving customers or suppliers
  • Enforcement
  • References

Disciplinary process

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Appropriate, fair and consistent sanctions can

• have a deterrent influence on workforce transgressions
• help prevent breaches of PHI
• help prevent, or reduce the severity, of compliance violations

Apply appropriate sanctions

• for significant failures to follow established policies and procedures, or commit various offenses.
• based on the nature and severity of the error or offense
• use an escalating scale of sanctions based on the highest category level of risk
• less severe sanctions applied to less severe errors and offenses
• more severe sanctions applied to more severe errors and offenses
• regardless of the employee’s position in the company

Determine sanction severity based on the following factors

• Exposure: How much external exposure to sanctions for the organization
• Number involved: How many systems, how much data, how many patients affected, etc.
• Purpose: Ignorance or lack of education; Snooping or curiosity; Malice, sale, or personal gain
• Special Protection: Does the incident involve elements with special protection under the law.

Apply sanctions in increasing order of severity

• Disciplinary process
• Made an example of
• Probation
• Suspension without pay
• Termination
• Notify appropriate law enforcement authorities for offenses involving obvious illegal activity.

Do not apply sanctions

• For investigations of disclosures by whistleblowers or victims of a crime
• For disclosures of information to an authority as required by law
• To retaliate in case of permitted investigations and disclosures

Immediate termination is justified for

• theft of company resources
• intentional lying or deception
• drug or alcohol abuse while on the job
• violence against persons or property

Incidents involving customers or suppliers

• If the incident poses a threat
  • Limit the access of those involved to protect sensitive assets.
• Customers
  • Report the incident to the customer organization.
• Vendors
  • Pursue remedies defined by the contract with the supplier.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.7.2.3	Disciplinary process
HIPAA	164.308(a)(1)(ii)(C)	Sanction policy (Required)
SOC2	CC1.1	COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
SOC2	CC1.5	COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
SOC2	CC1.5	COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

August 30, 2022

Powered by