8 Enforcement: When Influence Fails 8 Enforcement: When Influence Fails
8.1 Objectives and Discussion Questions 8.1 Objectives and Discussion Questions
Enforcement and discipline is our last element. We will consider internal enforcement and external enforcement. Both are important but too late. This element needs visibility and consistency to have credibility. Internally, HR is a core partner with compliance on this work. Externally, the compliance function is often engaged in the corrective action outlined in a settlement agreement.
Discussion Questions:
1. What did enforcement look like in your scandal?
2. Why might a corporation NOT want to agree to a Deferred Prosecution Agreement like we saw in the RXT case?
3. In the hypo, should the company adopt a "zero tolerance" stance? Why or why not?
8.2 Internal Enforcement: Role of Compliance, Philosophy 8.2 Internal Enforcement: Role of Compliance, Philosophy
8.2.1. November2024_Employee-Discipline-Checklist
8.2.2. Improving the Relationship Between Compliance and HR - Some Suggestions for Compliance Professionals
8.2.3 Hypo: Should we use zero tolerance? 8.2.3 Hypo: Should we use zero tolerance?
Facts:You are the CCO at a large hospital. The hospital has suffered a number of brand hits lately due to privacy breaches. The CEO has communicated a very strong “zero tolerance” policy for any privacy breach. An administrative assistant recently posted a picture of some Valentine flowers on her Facebook page and inadvertently had a computer screen in the background with the scheduling information for 2 patients. The screen showed their name and time of appointment in the Oncology department. Since the start of the “zero tolerance” policy a few months ago, you are aware of three enforcement actions related to Privacy: One “serial breach” by a revenue analyst who accessed the records of 87 community members out of curiosity who was terminated. One physician who posted a negative story about a difficult patient to her twitter account including PHI and was provided “coaching.” One coordinator in a particularly short-staffed area that received a notice level of corrective action after mistakenly mailing 120 letters with scheduling information to the wrong addresses. Previous to the “zero tolerance” approach the hospital had very inconsistent precedent for privacy breach enforcement and did not have strong “tone at the top” in compliance generally. HR has asked that you provide a memo to the CHRO and CEO with your advice on this particular case. The CEO is the final decisionmaker. This is a clear violation of HIPAA. The law and hospital policies prohibit posting of PHI to social media and require only “appropriate discipline.”