Data Classification Policy
Disclaimer of warranty—THE INFORMATION CONTAINED HEREIN IS PROVIDED "AS IS." HAWAII HEALTH INFORMATION CORPORATION (“HHIC”) AND THE WORKGROUP FOR ELECTRONIC DATA INTERCHANGE (“WEDI”) MAKES NO EXPRESS OR IMPLIED WARRANTIES RELATING TO ITS ACCURACY OR COMPLETENESS. WEDI AND HHIC SPECIFICALLY DISCLAIM ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL HHIC OR THE HIPAA READINESS COLLABORATIVE (“HRC”) BE LIABLE FOR DAMAGES, INCLUDING, BUT NOT LIMITED TO, ACTUAL, SPECIAL, INCIDENTAL, DIRECT, INDIRECT, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL, ...view middle of the document...
SUBJECT: Data Classification Policy
ISSUED BY: HIPAA Readiness Collaborative
AFFECTS: ’s Classification of Data
The purpose of this data classification policy is to provide a system for protecting information that is critical to the organization. All workers who may come into contact with confidential information are expected to familiarize themselves with this data classification policy and to consistently use it.
A. The organizations’s data classification system has been designed to support the “need to know” principle so that information willmay be protected from unauthorized disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and help keep the costs for information security to a minimum. Without the consistent use of this data classification system, unduly risks loss of customer relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage.
B. Applicable Information: This data classification policy is applicable to all information in the Company X’s’s possession. Example information such as mFor example, emedical records on patients, confidential information from suppliers, business partners and others and othersare must be protected under with this data classification policy. No distinctions between the word “data”, “information”, “knowledge,” and “wisdom” are made for purposes of this policy.
D. For consistent protection, iConsistent Protection: Information must be consistently protected throughout its life cycle, from its origination to its destruction. Information must be protected in a manner commensurate with its sensitivity, regardless of where it resides, what form it takes, what technology was used to handle it, or what purpose(s) it serves. Although this policy provides overall guidance, to achieve consistent information protection, workers will be expected to apply and extend these concepts to fit the needs of day-to-day operations.
E. To be consistent in handling information, ’s data classification policy uses the following different classification labels:
1. Public. This classification applies to information that is available to the general public and intended for distribution outside the organizations. This information may be freely disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases. De-identified data as defined in the HIPAA Privacy rule is considered public information.
2. For Internal Use Only. This classification applies to all other information that does not clearly fit into the other classifications. The unauthorized...