§164.308(a)(1)(ii)(C): Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

Audit Inquiry

Does the entity have policies and procedures in place regarding sanctions to apply to workforce members who fail to comply with the entity’s security policies and procedures?

Does the entity apply appropriate sanctions against workforce members who fail to comply with its security policies and procedures?

Obtain and review documentation of the sanction policies and procedures (which could be an aspect of a larger code of conduct). Evaluate if they contain a reasonable and appropriate process to sanction workforce members for failures to comply with the entity’s security policies and procedures.

Elements to review may include but are not limited to:
• Personnel involved in the sanction process
• Required steps and time period
• Notification steps
• Reason for the sanction
• Identification of the sanctions applied to compliance failures
• Documentation of the sanction outcome

Obtain and review documentation demonstrating sanctions against workforce members. Evaluate and determine whether appropriate sanctions were applied for workforce members that failed to comply with security policies and procedures.

Required/Addressable

Required