Policy Matrix
A list of all policies the author could conceive of follows. That is not to say that some new risk, a new way of providing health services, or a new rule by DHHS will not require a policy not listed below in the future. Check my blog at for a discussion of these events.
The parenthetical after each policy will tell you whether it is required (R), addressable (A), or other (O), neither required nor addressable but perhaps mandatory to avoid an allegation of willful neglect if you have a breach in that area. To the right of the list are comments to help you assess whether you need such a policy.
Access Authorization Policy (A) / If you have a number of workforce members, this policy is probably reasonable and appropriate. I find that combining it with other access policies is a good idea because that way your workforce members do not have to wonder whether a particular issue is covered in the Authorization Policy or the Access Establishment Policy. They can go to the overall Access Policy and find the paragraph or part concerning the issue.Access Control and Validation Procedure (A) / See discussion of Access Authorization Policy immediately above.
Access Establishment and Modification Policy (A) / See discussion of Access Authorization Policy immediately above.
Alternate Communications Policy (O) / Probably a good idea if you are a direct service provider, such as a family practice and may be a good idea if you are a secondary service provider, such as a laboratory
Authentication (Electronic Signature) Policy (O) / Probably necessary if you have an electronic health record
Authorization and/or Supervision Policy (A) / See discussion of Access Authorization Policy above.
Breach Notification Policy (O) / One of the more critical policies to have even though it is not expressly required because how you handle breaches is of high importance to DHHS auditors and the greatest civil money penalties are reserved for breaches that you do not handle properly
Business Associate Policy (O) / Necessary if you have a number of departments each with their own business associates.
Cell Phone (or Portable Device) Policy (O) / Necessary if you have a number of workforce members who need to use their cell phones for their duties
Complaint Procedure (R) / Required
Contingency Plan (R) / Required
Data Backup Plan (R) / Required
Designated Record Set Policy (O) / May be necessary if you have a lot of PHI in different places, such as health records, billing records, and the like to determine which records qualify as designated record sets which must provide patients with certain rights
De-identification Policy (O) / May be advisable if you conduct research or other activities involving
de-identified health information
Destruction (Disposal) Plan (R) / Required
Device and Media Control Policy (R) / Required
Disclosures to Family Members Policy (O) / May be a part of an overall Release of Information/Disclosure Policy but having it as a separate policy may be helpful if you have a lot of interactions with family members of your patients/clients
Disclosures to Law Enforcement Policy (O) / May be a part of an overall Release of Information/Disclosure Policy but having it as a separate policy may be helpful so your workforce members aren’t stressed out looking through the larger policy when a menacing law enforcement officer is demanding access NOW!
Disaster Recovery Plan (R) / Required
Electronic Signature Policy (O) / Probably necessary if you have an electronic health record—essential same as Authentication Policy, above, although the Authentication Policy is broader in that it may specify time frames for authenticating the chart, and so forth, as well as how to affix a proper electronic signature.
E-mail Policy (O) / Unless you absolutely prohibit sending e-mail containing PHI (which should be prohibited in writing), is probably necessary because of the high risk of email
Emergency Mode Operation Plan (R) / Required
Evaluation Policy (update of risk analysis) (R) / Although updating your risk analysis is required, arguably you don’t have to have a policy specifying that you are going to do so but it may be wise to ensure you get it done. This policy could be part of a overall Health Information Security Plan or a Risk Analysis Policy
Fax Policy (O) / May be wise if you are sending faxes containing PHI
Fund-Raising Policy (O) / Only possibly necessary if you conduct fund-raising
Hybrid Entity Policy (O) / Only possibly necessary if you have covered entity components and non-covered entity components within the same organization
Information System Activity Review Policy (Audit) (O) / Information System Activity Review is required, but having such a policy is not, in terms. Consider whether you need to specify what auditing you are doing needs to be specified in a policy.
Internet Use Policy (O) / May be wise if you are transmitting PHI, communication with patients, and so forth over the Internet.
Isolating Health Care Clearinghouse Functions Policy (R) / Only necessary if you qualify as a hybrid entity with both provider or health plan functions and also function as a clearinghouse
Limited Data Set Policy (O) / Only necessary if you use limited data sets for research or other functions
Log-In Monitoring Policy (A) / May be covered in an Information System Activity Review (Audit) Policy
Maintenance Plan (A) / Would only seem reasonable and appropriate if you have a lot of changes to your physical security measures
Marketing Policy (O) / Only necessary if you market your products and services. Such activities as continuity of care, appointment reminders, and prescription refill notices are not marketing.
Media Reuse Policy (R) / Required but could be a part of other policies such as an overall Security Policy or Destruction Plan
Medical Records Content Policy (O) / Only tangentially a HIPAA issue but as a standard of care issue may be helpful to avoid charting problems and may be helpful from a HIPAA perspective in determining what the medical record system of records in a designated record set consists of.
Minimum Necessary Policy (R) / Required
Movement of PHI Policy (O) / Not required in terms by HIPAA but is one of the more critical policies because the single biggest category of reported breaches to DHHS is loss or theft of a portable device or media and many civil money penalties or settlements in lieu thereof involve loss or theft of a portable device or of paper records
Password Policy (O) / Probably necessary if you allow workforce members to choose their own passwords to ensure they choose secure ones.
Password Management Policy (A) / This differs from the Password Policy, immediately above, in that it covers how the covered entity or business associate will manage policies. The two could certainly be combined into one policy
Patient Access Policy (O) / This policy could be part of a Release of Information Policy or could be separate if handling requests for patient access is very common or problematical
Person or Entity Authentication (A) / Must know who tried to or did access PHI but such a policy is probably necessary when the covered entity or business associate has a number of workforce members.
Portable Computer Policy (O) / Not mentioned in terms but falls under the Device and Media Controls Standard. Because, however, the single biggest category of reported breaches to DHHS is loss or theft of a portable device or media and many civil money penalties or settlements in lieu thereof involve loss or theft of a portable device or of paper records, such a policy appears necessary if you use such devices
Privacy of Deceased Patients Policy (O) / Could be included in the Release of Information (Disclosure) Policy, below
Processing Records Policy (O) / HIPAA does not require such a policy in terms, but besides its utility in simply ensuring proper creation, maintenance, and so forth, of records may have HIPAA implications as to contents for the minimum necessary rule (which generally does not apply to medical records use for treatment but does for financial records) and for what constitutes a designated record set
Processing Requests for an Accounting or an Access Report Policy (O) / May be combined with others such as the two following in a Patient’s rights policy. Must handle such requests but HIPAA does not say that you must have a policy how to do so.
Processing Requests for Correction/Amendment Policy (O) / Same as immediately above
Processing Requests for Restriction Policy (O) / Same as above
Protection from Malicious Software Policy (A) / Could be contained in other policies, such as an overall Security Plan, E-mail Policy, Workstation Use Policy (do not upload data or programs without the permission of the security officer) and the like
Red Flag Policy (O) / Not required by the Red Flag Rule but HIPAA requires protection of all PHI, not just the clinical and PHI includes financial and demographic information that could be used for identity theft. Thus although the Red Flag Rule is inapplicable, HIPAA may imply that such a policy is a good way to protect such data.
Release of Information (Disclosure) Policy (O) / This is perhaps the most important policy that is not expressly required by HIPAA. Because the Privacy Rule’s release of information rules are so complex, such a policy is necessary to ensure proper use and disclosure.
Report and Report Response (R) / Required
Retention Policy (O) / Not required by HIPAA but may be necessary to retain documents as required by law and professional standards and may have HIPAA implications to ensure PHI is not improperly disposed of
Risk Analysis Policy (R) / Risk analysis is not only required but one of the very most important components of HIPAA requirement but HIPAA does not require such a policy. Considering the importance of risk analysis, such a policy may be wise to assign responsibility for conducting and updating it, determining when to update it, and specify how to do it. See the Evaluation Policy, above, which could be combined into this policy
Sanction Policy (R) / Required
Security Plan (Health Information Security Plan) (A) / May be reasonable and appropriate for a large or complex organization to set the strategic direction for its security program
Social Media Policy (O) / Considering the prevalence of social media in today’s world and the risk inherent in having your workforce badmouth a patient on Facebook or Twitter, such a policy seems required as a practical matter is not yet required in terms by HIPAA
Telemedicine Policy (O) / May be a wise security measure if you practice telemedicine
Termination Procedure (A) / Will usually be reasonable and appropriate if you have a workforce of any size.
Testing and Revision Procedure (A) / While this policy is addressable, it seems to be unwise to have disaster and emergency mode operations plans and not test them and revise them if necessary
Text Messaging Policy (O) / This could be a part of a cell phone or similar policy but may be wise considering the widespread use of text messaging. You may want to simply prohibit texting PHI or, if you permit it, impose security measures on the practice
Training Policy (O) / May be useful if you have a large workforce with differing needs for HIPAA training
Work at Home Policy (O) / Besides being helpful for HIPAA security issues, such a policy could cover other compliance issues, such as workers’ compensation liability
Workforce Clearance Procedure (A) / Would seem reasonable and appropriate if you have a large workforce or particularly sensitive information
Workstation Use Policy (R) / Required
The Complete HIPAA Policies and Procedures Guide
Copyright © 2013 Jonathan P. Tomes, Veterans Press, Inc., and EMR Legal, Inc. All rights reserved.