The organization must define penalties to be applied in case of non-compliance of the service level agreements
The failure to comply with the established agreements must be associated with a penalty that totally or partially compensates for the negative effects caused.
Service level agreements must have support to enforce compliance, penalties should be representative of the cost of the service contracted.
The penalties must be agreed and accepted at the contractual level and to be effective, they must have a periodic review of service compliance.
A service breaches the established agreements, it is not possible to apply any penalty because it is not defined at the contractual level.
Layer: Resource Layer.
Asset: Information Assets.
Type of Control: Procedure.
HIPAA Security Rules 164.308(a)(1)(ii)©: Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.