HIPAA and more: Policy helps employees properly classify, handle all information

Pop quiz: Which of these types of information requires the highest level of confidentiality at Yale New Haven Health System?

  1. Protected health information (PHI)
  2. Intranet web pages
  3. Patient brochures
  4. Information about legal proceedings

A lot of people would answer “1. Protected health information,” but the correct answer is “4. Information about legal proceedings.” Under the health system’s Information Classification Policy, information about legal proceedings and investigations are labeled “special access.” Access to this type of information is restricted to very specific individuals, and additional controls must be implemented to protect and limit that access. PHI is considered “confidential,” which means it can be shared under specific circumstances, as defined in YNHH policies and the federal HIPAA Privacy Rule.

YNHHS’ Information Classification Policy was developed by the Office of Privacy and Corporate Compliance, Information Technology Services’ Office of Information Security, Health Information Management and Legal and Risk Services. The goal is to ensure that the right information is available to the right people at the right times and places – and kept safely away from anyone not authorized to access it. The policy addresses how to manage the confidentiality, integrity and availability of all information in any form, including digital, print, video, spoken and others. It sorts information into four classes:

  • Public – fit to share within and outside the organization.
  • Internal – to be shared only within YNHHS.
  • Confidential – to be shared only with specific people under defined circumstances and with well-defined controls.
  • Special access – super-sensitive information that requires additional controls to ensure confidentiality, when accessed internally and when made accessible to people outside the organization.

The graphic shows examples of information in the different classes and how to handle it.

HIPAA Imiage

For details, visit “Policies” on the YNHHS employee intranet and search for “Information Classification.” Questions? Email list_Information_Classification@ynhh.org.