SafeHealth Docs
Data-Governance
SafeHealth Docs
Data
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Data on GitHub
Set theme to dark (⇧+D)

Data Classification

Information assets are assigned a sensitivity level based on the appropriate audience for the information. If the information has been previously classified by regulatory, legal, contractual, or company directive, then that classification will take precedence. The sensitivity level then guides the selection of protective measures to secure the information. All data are to be assigned one of the following six sensitivity levels:

  • Highly-Restricted

  • Restricted

  • Confidential

  • Internal Use

  • Public

  • De-Identified

  • Derivative Data

​​ Highly Restricted

​​ Definition

PHI is all “Individually identifiable health information”, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

​​ Potential Impact of Loss

  • SIGNIFICANT DAMAGE would occur if PHI were to become available to unauthorized parties either internal or external to Safe Health.
  • Impact could include negatively affecting Safe Health’s competitive position, violating regulatory requirements, damaging the company’s reputation and violating contractual requirements.

​​ Restricted

​​ Definition

Restricted information is highly-valuable, highly-sensitive business information and the level of protection is dictated externally by legal and / or contractual requirements. Restricted information must be limited to only authorized employees, contractors and business partners with a specific business need.

​​ Potential Impact of Loss

  • SIGNIFICANT DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external to Safe Health.
  • Impact could include negatively affecting Safe Health’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements and posing an identity theft risk.

​​ Confidential

​​ Definition

Confidential information is highly-valuable, sensitive business information and the level of protection is dictated internally by Safe Health.

​​ Potential Impact of Loss

  • MODERATE DAMAGE would occur if Confidential information were to become available to unauthorized parties either internal or external to Safe Health.
  • Impact could include negatively affecting Safe Health’s competitive position, damaging the company’s reputation, violating contractual requirements and exposing the geographic location of individuals.

​​ Internal Use

​​ Definition

Internal Use information is information originated or owned by [company]. Internal Use information may be shared with authorized employees, contractors and business partners who have a business need, but may not be released to the general public, due to the negative impact it might have on the company’s business interests.

​​ Potential Impact of Loss

  • MINIMAL or NO DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external to [company].
  • Impact could include damaging the company’s reputation and violating contractual requirements.

​​ Public

​​ Definition

Public information is information that has been approved for release to the general public and is freely shareable both internally and externally.

​​ Potential Impact of Loss

  • NO DAMAGE would occur if Public information were to become available to parties either internal or external to [company].
  • Impact would not be damaging or a risk to business operations.

​​ De-Identified Health Information (DIHI)

​​ Definition

There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

​​ Potential Impact of Loss

  • NO DAMAGE would occur if DIHI information were to become available to parties either internal or external to Safe Health.
  • Impact would not be damaging or a risk to business operations.

​​ Derivative Data

​​ Definition

​​ Potential Impact of Loss

any information protected by international, federal, state, or local laws and regulations or industry standards, such as GDPR, HIPAA, HITECH. Personally Identifiable Information (PII) Protected Health Information (PHI) Gramm-Leach-Bliley Act (GLBA) Human Subjects Research General Data Protection Regulation (GDPR) - European Union Health Insurance Portability & Accountability Act (HIPAA) - United States Telecommunications Act (United Kingdom)

21 CFR Part 820 ISO2101 MDSAP ISO13485

Data Controls:

  • Storage type and location
  • Encryption
  • Access control
  • Data destruction
  • Data loss prevention
  • Public disclosure
  • Logging and tracking access