Data Classification Policy - This security standard describes how information is classified and protected. Information has varying degrees of sensitivity and criticality. The purpose of information security is to protect the company, patient and employee information. This information might be printed on paper, stored on computers, any other electronic devices / media, or kept in peoples’ minds.
The company’s data classification policy combined with the concept of “Need to Know” and “least privilege” will help protect Health Care Insurers information from unauthorized disclosure, use, modification, and deletion.  “Need to Know” is the idea that information should not be disclosed to any person who does not have a legitimate and demonstrable business needs to receive the information and “least privilege” restricts access to only the information and resources that are necessary for its legitimate purpose.  A single mistake in information security can have significant long-term consequences. Consistent use of the data classification labels identified below is essential if Health Care Insurers information is to be adequately protected. Click here for a sample classification table

---

General
Access control policies in regulated industries like Health Care Insurers define permissions for users to access protected medical information and records. Health Care Insurers will implement two access controls policies; Role Based Access Controls (RBAC) and Mandatory Access Controls (MAC). RBAC helps to restrict medical records to users in certain roles (Pervaiz, et al., n.d.). MAC policies restrict access based on role and additional attributes.  For example, if a patient has depression and cancer, the Oncologist is not allowed to view the mental health records without the patient’s consent (ADA,gov, n.d.) . The behavioral health records need to be segmented within the medical record and access is provisioned accordingly. As a health insurer, Health Care Insurers will inherit the same access control policy as the provider.  For example, the insurer’s Human Resources department is not permitted to view any patient member PHI records. Health Care Insurers classifies information into three categories; PHI, corporate and other protected data. The information categories have four levels of sensitivity; strictly confidential, confidential, internal use and public.

Target Group
All Health Care Insurers-employees, guests / partners and other 3rd parties working at Health Care Insurers with access to the information, systems and infrastructure of Health Care Insurers.

Roles and Responsibilities
All Health Care Insurers employees, contractors, consultants, temporary employees, and other workers providing services to Health Care Insurers who come into contact with sensitive internal information are expected to familiarize themselves with this data classification policy and to consistently use these same ideas in their daily Health Care Insurers business activities. Sensitive information is either strictly confidential, confidential, internal use or public are defined later in this document. Although this policy provides overall guidance, to achieve consistent information protection, IT employees are expected to apply and extend these concepts to fit the needs of day-to-day operations. This document provides a conceptual model for IT for classifying information based on its sensitivity, and an overview of the required approaches to protect information based on these same sensitivity classifications.

Classification Labels
Any information used to accomplish business objectives needs to be classified according to the classifications defined below. Other members of the organization who are not authorized to view this information may be asked and will be authorized to contribute supporting data and information as needed. See appendix A – Security Measures for each Label for approved measures.

Strictly Confidential – The unauthorized publication of this type of information could have major negative consequences or lead to drastic disruptions in Health Care Insurers’s business activities. Access to Strictly Confidential information is limited to a small number of precisely specified persons. This class of information should be used only when the type of information itself demands an unconditional restriction in circulation. Examples include merger and acquisition documents, strategic plans, new product or service research, intellectual property, Protected Health Information (PHI), sensitive Personal Identifiable protected data (PII) and any other information where laws or regulations require protection of the information.
Do not transfer any strictly confidential information by telephone, cell phone, or unencrypted video conference or during a personal meeting that takes place in a public environment.
As an example, Claim Adjusters will be able to view patient PHI data for the purposes of authorizing access to the patients benefit. However, claim adjusters will not be authorized to view sensitive business operations information like merger and acquisition proposals.

Confidential- Confidential information is information that, if published, could inflict major damage to Health Care Insurers’s future development, in terms of finance, competition, or Health Care Insurers’s legal position. As a rule, personal data is classified as confidential. Exceptions must be decided on a case-by-case basis. Examples include:

• Documents that contain personal data.
• Unpublished press releases.
• Documents for HR applications and completed performance-feedback documents.
• Audit reports. 
• Health Care Insurers’s strategic information.

Do not transfer any confidential information in a public environment. Ensure that unauthorized persons nearby cannot follow your conversation. As an example, a customer service representative would have access to patient summary data but not necessarily the underlying PHI data.

Internal Use – Internal use information is accessible to all Health Care Insurers employees, but it is not intended for wider publication. Internal information can only be forwarded to internal employees of Health Care Insurers. Third parties may be granted access to this information for business reasons from the relevant person responsible. In this case, a suitable confidentiality declaration must be signed, unless the person or persons concerned are already bound by a legal duty of secrecy by virtue of their professional group. Examples:

• Data about patients and business development information that are classified as internal rather than confidential information.
• Meeting minutes.
• Information about internal projects.
• Documents for internal coordination meetings.

As an example, Health Care Insurers management will review and determine the internal standards by which claims adjusters will accept or deny claims.

 Public - All other information may be made accessible to the general public. No measures are necessary to protect this information. Examples:

• Press releases that have already been published.
• Publicly accessible information (for example, handbooks and marketing brochures).

There are no special measures to be taken.

Labeling Standards
All documents, regardless of their form (that is, printed, handwritten, or stored electronically), need to have their document classification clearly marked on the first page, typically the cover page.
Cover pages are mandatory for documents classified as confidential or strictly confidential. The classification must be repeated on each page in the footer. For more information and additional disclaimers, please contact the responsible legal department.
Although the classification “internal” may be omitted because it is the default classification, documents should nonetheless be marked as internal for the sake of clarity.

Policy Compliance
Violation of this policy may result in disciplinary actions in accordance with applicable law, up to and including termination of employment.