The $1 million settlement by Massachusetts General for what has come to be known as the “Million Dollar Subway Ride,” for the loss of paper billing documents that were secured only by a rubber band around them on a Boston subway, has emphasized the need to have policies and procedures to secure PHI even when neither the Security Rule nor the Privacy Rule mentions them as being either required, such as a sanction policy, or addressable (where you have to determine whether the policy is reasonable and appropriate and, if not, whether you should implement an equivalent alternate measure, or do nothing but, regardless, document your decision), such as the clearance procedure. Apparently, Mass General did not have a work-at-home policy or a movement of PHI policy. That lack, coupled with lack of training in protecting PHI taken outside the facility, led to the seven-figure settlement. See my blog post dated March 22, 2012. Note that no HIPAA Rule even mentions working at home, transporting paper records, or having policies covering those topics other than by inference from other required or addressable policies or the Privacy Rule’s vague guidance to implement “safeguards” to protect PHI from misuse. Nonetheless, the Massachusetts General case, coupled with other fines and settlements, indicate that DHHS may view that not having a policy for a situation that resulted in a breach may constitute “willful neglect,” which carries the highest civil money penalties, penalties that, unlike breaches due to a reasonable cause, cannot be waived. And other costs associated with breaches exist, such as the cost of notifying individuals whose data was the subject of the breach. So identifying whether you need a policy in a particular area has become even more critical.

HIPAA provides guidance in the form of a matrix for some security issues. The original security rule had a matrix that specified the standard and its implementation specifications, both required and addressable. Further, the National Institute for Standards and Technology (“NIST”) Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, provides a security rule matrix.

But I have not found a matrix detailing all possibly required policies, procedures, and related documents. Thus, I developed one and posted it in the Premium Member section of the Veterans Press website. The matrix has three columns. The first asks you whether you perform an activity, such as using portable devices. The second column lists possible policies, broken down into those required by HIPAA, those that are addressable, both of which are specified in the Security and Privacy Rules, and those that may be necessary, but are not mentioned by those rules. The third column lists policies that you may already have that could satisfy those requirements. An employee handbook could, for example, satisfy the requirement for a sanction policy if it has language specific to protecting health information. Footnotes give additional guidance, such as when a policy may need to address non-HIPAA issues. In an email policy, for example, you may want to prohibit sending racist, sexist, and so forth comments or jokes to avoid the entity being sued for having a hostile work environment.

As always, we are highly interested in your feedback, including any way to improve the matrix.