Table 4. Suggested Procedures for Data Disclosure Classification
Use
Disclosure
1. Must be restricted to only individuals who have a need to know. 2. Must use extreme cau�on when handling data.
Only share informa�on internally and only when expressly permi�ed and when directed by the data owner.
Sensitive
3. Must be restricted to only individuals who have a need to know.
Only share informa�on internally and only when expressly permi�ed.
Internal Use
4. Data can be generally used, but care should be considered in its consump�on.
Only share informa�on internally within the organiza�on.
Public
5. No restric�ons.
Highly Sensitive
Share freely with no restric�ons.
Be careful when sending information through e-mail. Ensure that sending PHI via e-mail is consistent with ONC guidance. Do not send unencrypted PHI through regular e-mail or text message. However, patients can request and receive access to their PHI via unencrypted electronic communications following a brief warning to the patient that unencrypted communications could be accessed by a third-party in transit and the patient confirms that they still want to receive the unencrypted communication.
Labeling: It is important to label information properly to facilitate implementation of restrictions related to its usage and disclosure. Labeling helps keep data secure in two ways. First, users will understand how to handle information that is properly labeled. Second, specialized security tools, such as data loss prevention (DLP) systems, can be configured to discover and control information when it is properly labeled. At minimum, the labeling process should ensure that labels are readily apparent when users view information. Use techniques like placing the classification in the footer of the document. Collaborate with your marketing and communication departments to create document templates based on data classification levels. Organization-wide document templates enable specialized tokens or signatures to be embedded in the documents and tracked by DLP systems.
4.M.C
Data Security
NIST FRAMEWKORK REF: PR.DS, PR.DS-1, PR.DS-2, PR.IP-6, PR.DS-5
After policies and procedures have been defined, you can establish additional data security methods. Consider the security methods described in Table 5. 44
