What are data classifications?

While HIPAA does not require specific data classification levels, organizations often adopt a simple three level classification system. These can take the form of restricted/confidential, private, and public which is meant to aid in determining baseline security controls for electronic protected health information (ePHI). For example, restricted/confidential data including PHI would require stricter measures for protection than general administrative data.

The types of data classified under HIPAA

1. Public data: In healthcare organizations, public data includes general information about services, facilities, and public health initiatives that are openly available to the public.
2. Internal data: This category includes operational policies, employee handbooks, and internal communications that are not sensitive but should be kept within the organization.
3. Confidential data: Confidential data in healthcare includes business strategies, financial reports, and certain administrative information that should be restricted to specific teams.
4. Restricted data: This is the most sensitive category, like PHI, such as medical records, billing information, and other personal health details that require stringent security measures.

How does HIPAA require organizations to handle and protect classified data? 

The HIPAA Security Rule is the main source of guidance when it comes to the protection of ePHI. The rule is divided into three distinctive categories which serve every aspect of an organization's operational needs. These include: 

• Administrative safeguards involve policies and procedures for managing access to ePHI, conducting risk assessments, and training employees on security practices. It includes establishing a security management process and assigning a security official.
• Physical safeguards focus on securing the physical environment where ePHI is stored or accessed. Measures include limiting access to facilities and equipment, implementing policies for workstation use, and controlling the transfer, removal, disposal, and reuse of electronic media containing ePHI. 
• Technical safeguards are designed to protect ePHI during electronic transmission and storage. Organizations should look at using HIPAA compliant email platforms like Paubox and using audit controls to track and monitor all access to ePHI.

NIST guidance on data classification

FIPS 199 and NIST Special Publication 800-60 are instrumental in establishing a standardized framework for data classification within federal information systems. NIST Special Publication 800-60 Volume 1 Revision 1 notes, “FIPS 199 establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur. The potential impacts could jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.” 

FIPS 199 introduces a three-tiered impact system: low, moderate, and high, assessing the potential adverse effects on organizational operations, assets, or individuals resulting from unauthorized disclosure, modification, or loss of access to information.

Building upon this, NIST SP 800-60 provides detailed guidelines for mapping specific types of information and information systems to these impact levels, thereby assisting organizations in determining appropriate security controls. The structured approach ensures that data is consistently classified based on its sensitivity and potential impact.

FAQs

What options do healthcare organizations have for storing data?

Healthcare organizations can use on-premises, cloud-based, or hybrid data storage solutions.

What measures can healthcare organizations take to ensure data integrity and availability?

Organizations can implement redundancy, replication, data backup, and erasure coding. 

What are some of the main challenges healthcare organizations face when storing data?

The primary challenges include managing the vast volume of data and protecting data from cyber threats.