Data Classification

Data Classification	Definition	Risk Level
Data Classification	Definition	High	Medium	Low
Restricted (e.g., high-profile member information)	Information is non-public information protected by laws, contractual agreements, or business stipulations (e.g., PHI beyond HIPAA such as chemical dependency rehabilitation program services, attorney-client communications)	PCI, ePHI, PHI, PII specific company data	PII specific company data	N/A
Confidential (e.g., other PHI)	Information is non-public information protected by laws, contractual agreements, or business stipulations (e.g., PHI not requiring special additional security beyond HIPAA, corporate strategic plans, employee payroll records, audit findingsfk).	PCI, ePHI, PHI, PII specific company data	PII specific non-PHI company data	Specific non-PHI, non-PII, or de-identified company data
Internal (e.g., employee info)	information is non-public information that is generated or collected by ORG for the use of covered individuals and other authorized parties in performing ORG business functions (e.g., policies, procedures, salary information, security diagrams)	PII specific company data	PII specific non-PHI company data	Specific non-PHI, non-PII, or de-identified company data
Public	information is information that has been generated specifically for disclosure to persons outside ORG and has been approved for release (e.g., press releases, marketing materials, clinician websites).	N/A	N/A	Manipulated to remove non-public data