509-867-3645
Register
All Company Policies

04-Sanctions

Approved by: William Voss Effective: April 1, 2024
Review: Annual Revised:
Renewed By: Renewed:

Sanctions

Policy Statement

It is the policy of River City TMS, PLLC that all workforce members must protect the confidentiality, integrity and availability of sensitive information at all times. River City TMS, PLLC will impose sanctions, as described below, on any individual who accesses, uses or discloses sensitive information without proper authorization. River City TMS, PLLC will take appropriate disciplinary action against workforce members, contractors or any individuals who violate River City TMS, PLLC information security and privacy policies or state or federal confidentiality laws or regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Procedure

Workforce members found in violation of inappropriate disclosure of ePHI may be subject to the following sanctions, as determined by the Risk Management Team. Documentation of the workforce member sanction shall be recorded in the Security Log (Appendix M), the Security Incident Report (Appendix H), and may be recorded in the workforce member file, as appropriate.

Violations §164.308(a)(1)(ii)(C)

Listed below are the types of violations that require sanctions to be applied. They are stated at levels 1, 2, and 3 depending on the seriousness of the violation:

Level

Description of Violation

1
  • Accessing information that you do not need to know to do your job.
  • Sharing computer access codes (username & password). Does not apply to accounting department or deposit team.
  • Leaving computer unattended while being able to access sensitive information.
  • Disclosing sensitive information with unauthorized persons.
  • Copying sensitive information without authorization.
  • Changing sensitive information without authorization.
  • Discussing sensitive information in a public area or in an area where the public could overhear the conversation.
  • Discussing sensitive information with an unauthorized person.
  • Refusing to cooperate with the Information Security Officer, Privacy Officer, and/or authorized designee.

2
  • Second occurrence of any Level 1 offense (does not have to be the same offense).
  • Unauthorized use or disclosure of sensitive information.
  • Using another person's computer access code (user name & password). 
  • Failing/refusing to comply with a remediation resolution or recommendation.

3
  • Third occurrence of any Level 1 offense (does not have to be the same offense).
  • Second occurrence of any Level 2 offense (does not have to be the same offense).
  • Obtaining sensitive information under false pretenses.
  • Using and/or disclosing sensitive information for commercial advantage, personal gain, or malicious harm.

 

Recommended Disciplinary Actions §164.308(a)(1)(ii)(C)

In the event that a workforce member violates River City TMS, PLLC privacy and security policies and/or violates the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or related state laws governing the protection of sensitive and patient identifiable information, the following recommended disciplinary actions will apply:

Violation Level

Recommended Disciplinary Action

1
  • Verbal or written reprimand
  • Retraining on privacy/security awareness
  • Retraining on River City TMS, PLLC privacy and security policies
  • Retraining on the proper use of internal or required forms

2
  • Letter of Reprimand* or suspension
  • Retraining on privacy/security awareness
  • Retraining on River City TMS, PLLC privacy and security policies
  • Retraining on the proper use of internal or required forms

3
  • Termination of employment or contract
  • Civil penalties as provided under HIPAA or other applicable Federal/State/Local law
  • Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law

 

Important Note: The recommended disciplinary actions are identified in order to provide guidance in policy enforcement and are not meant to be all-inclusive. If formal discipline is deemed necessary, River City TMS, PLLC shall take appropriate action and in the appropriate time frame. When applicable, progressive disciplinary action steps shall be followed allowing the employee to correct the behavior which caused the disciplinary action.

*A Letter of Reprimand must be reviewed by appropriate management before given to the employee.

Exceptions

Depending on the severity of the violation, any single act may result in disciplinary action up to and including termination of employment or contract with River City TMS, PLLC.

Acknowledgment

I, the undersigned workforce member or contractor, hereby acknowledges receipt of a copy of the Sanction Policy for River City TMS, PLLC.

 

Dated this ________ day of _________________, 20____.

 

_______________________________________________

Signature of Employee/Contractor