Goal: Apply appropriate sanctions against team members who fail to comply with the security policies and procedures.
The purpose of the Sanction Policy is:
- To reinforce the practiceโs security policies and procedures.
- To communicate, beforehand, to all team members (employees, agents, contractors, etc) the consequences of violations to the security or privacy rule.
- To prevent violations from owners, employees, agents and contractors.
- To ensure fairness when enforcing disciplinary actions across the workforce.
Procedure: Once the Security Officer has knowledge of an alleged unauthorized use or disclosure of ePHI, he or she shall immediately perform the following steps:
- Begin a thorough investigation of the unauthorized release. It is recommended that the Security Manager uses the โInternal Investigation Formโ.
- If the Security Officer finds that one or more staff members either does not understand or refuses to abide by the existing security policies and procedures, then, it may be necessary for the Security Officer to recommend disciplinary actions against the transgressors.
- Management shall determine the severity of the disciplinary actions based on the investigationโs findings.
- Procedural Offense: Re-training on the policies and procedures governing privacy and security as well as a verbal reprimand/counseling. An โEmployee Warning Report Formโ (see Formsโ Chapter) completion is highly recommended.
- Significant Offense: Written reprimand from the immediate supervisor.
- Serious Offense: Suspension from duties without pay, for a period to be determined by the Administrator/Office Manager, but no to exceed two (2) weeks.
- Critical Offense: Termination of the employee.
- The Security Officer will document all breaches of privacy or security and retain the documentation for a period of seven years.
- No member of the workforce will be subject to sanctions for a disclosure of PHI made in good faith in accordance with the following policies:
- Disclosure of protected health information by โwhistleblowersโ
- Disclosures of protected health information by workforce members who are the victims of a crime (See Notice of Privacy Practices).