Data Classification in Healthcare

Employee round-table discussion
Reading Time: 3 minutes

Healthcare is a highly competitive industry where payers and providers are subject to significant regulatory oversight.  The complex needs of these organizations, and their patients, must be delivered in as efficient a manner as possible, and with precision, while taking every precaution to ensure appropriate levels of data security and privacy.

Given the data involved, and its very direct relationship to their patients, those in the healthcare industry have a fundamental understanding that the information they rely on is critical to patient care – any lack of precision can have significant consequences. While not necessarily viewed formally as ‘data governance’, healthcare practitioners have an inherent appreciation for the importance of data and the need for its integrity and availability, as they consume and create information that ultimately drives the decisions that they make all day, every day.

Beyond patient care responsibilities, there are privacy concerns as well as the need for the organization to have sufficient operational transparency ensuring that efficiencies and effectiveness are realized in a highly competitive environment. Like all data-driven organizations, the crucial need to develop and implement data governance capabilities has never been greater, as information that drives patient care is also the source of legal and business risk.

Healthcare organizations need a reliable solution that consistently applies accurate labels to both Protected Health Information (PHI) and Personally Identifiable Information (PII). The stringent security and data privacy requirements defined in the Health Insurance Portability and Accountability Act (HIPAA), and later bolstered in the Health Information Technology for Economic and Clinical Health Act (HITECH), outline significant steps that need to be taken to ensure compliance. The ability to have a bird’s eye view of unstructured healthcare data in an environment affords the organization the ability to better position themselves for regulatory compliance, and supplement the various controls that can be used to enforce data governance policy.

Other areas where data classification can assist healthcare organizations in achieving, and maintaining, regulatory compliance requirements, that are not exclusively directed towards PHI, are Payment Card Industry (PCI) regulations and the European General Data Protection Regulation (GDPR).

Payment Card Industry (PCI)

Discussions within most healthcare organizations do not necessarily elicit thoughts of PCI compliance, but given their unique situations they may need to ensure that they are. In-house pharmacies, gift-shops, cafeterias and bedside tablets used for ordering and account management are some of the unique opportunities within a healthcare organization that may require attention. The identification and labeling of payment card information is critical in ensuring that the appropriate controls are in place and that the data is managed in accordance with PCI requirements.

The European General Data Protection Regulation (GDPR)

Given the volume of data subjects  involved in this setting (patients who are EU citizens), most healthcare organizations in the US will not need to appoint Data Protection Officers (DPO’s) for GDPR purposes, but will need to ensure that they can adhere to a subset of those mandates. One of the more onerous requirements is the right of data subjects to correct erroneous information, access to and portability of their information and their ‘right to be forgotten’… all in a relatively short period of time.  The ability to accomplish this mandate necessitates the previous, and ongoing, identification and labeling of Personal Information (PI) so that it can be easily located and managed as necessary.

Healthcare is a highly regulated industry where the ability to achieve, maintain and efficiently demonstrate regulatory compliance improves the organization’s overall security posture – allowing it to focus on patient care and improved outcomes. When implemented with complimentary solutions, data classification can play a pivotal role in managing regulated data with precision, effectiveness and a level of efficiency that allows healthcare organizations the opportunity to properly focus on their core mission.