Skip to content

Confidential and Classified Information

Confidential and Classified data/information is information that possesses restrictions regarding storage, transit and other means of information usage.  It is sensitive, restricted, or private information such as social security numbers, patient information, and student grades.

There are several different types of confidential or classified information with which we may come in contact and guidelines on what we can and can do regarding the sharing of this type of material.

PHI and ePHI

PHI is an acronym for Protected Health Information. PHI is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

The Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition,

  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,
    and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual
  • Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Examples of Confidential and/or Classified Health Information (PHI)

ePHI is confidential or classified Protected Health Information in electronic form that is stored, transmitted, or somehow used electronically.

PII

PII is an acronym for Personally Identifiable Information. PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.‖ Examples of PII include, but are not limited to:

  • Name, such as full name, maiden name, mother‘s maiden name, or alias
  • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number
  • Address information, such as street address or email address
  • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
Examples

Examples of PHI, ePHI, HIPAA, and HITECH Information

  • Name
  • Address – street address, city, county, zip code (more than 3 digits) or other geographic codes
  • Dates directly related to patient (except year), including DOB, admission or discharge date
  • Telephone Number
  • Driver’s License Number
  • Email addresses & fax numbers
  • Social Security Number
  • Medical Record Number
  • Health Plan Beneficiary Number
  • Account Number
  • Certificate/License Number
  • Any vehicle or device serial number, including license plates
  • Web Addresses (URLs)
  • Internet Protocol (IP) Address
  • Finger or voice prints
  • Photographic images
  • Any other unique identifying number, characteristic, or code
  • Age greater than 89 (as the 90 year old and over population is relatively small)

Examples of FERPA Information

  • Grades
  • Social security number
  • Passport number
  • Driver’s license number
  • Account balance

 

Sensitive/Protected Storage Policy

Be sure to view the UTHSC Policy on Storing Sensitive/Protected Data in UT’s Microsoft Office 365 for Education before storing sensitive or protected data on OneDrive.

Please refer to our University of Tennessee IT0110 – Acceptable Use of Information Technology Resources policy for more information.

Sending Confidential and Classified Information Guidelines

Method Can I use this method? If I can, how do I do it?
Email Yes

Yes, but it must be encrypted by typing the word encrypt in the subject line.  More on encrypting an email

Mail (USPS, FedEx, etc.) Yes

The file should be wrapped or sealed in an envelope or pouch in such a manner that the PHI cannot be identified during the transportation process. The outside of the container should contain clear information regarding the addressee, which includes the name, address and telephone number where he/she can be reached. Covered entities should ensure that transported PHI be delivered only to the appropriate individuals who are authorized to receive the information. This can be accomplished by implementing a tracking method by which the sender and the recipient can sign and verify delivery and receipt of the information.

Live Phone or In-Person Conversation Only with extreme care

When talking with a patient or another medical professional ALWAYS use common sense, medical ethics, and take precautionary measures. Be aware of your surroundings and pay close attention to the information you are giving the patient or fellow medical professional. Ask the patient or medical professional if they are on speaker phone or if they are in a crowded area to prevent others from hearing the conversation. 

Voicemail Only with extreme care

When leaving a voicemail with a patient or medical professional, make sure that you have dialed the correct number. Listen for the patient or fellow medical professional’s name during their voicemail greeting. Please, be very broad, advise them to return your call, and give details to patient or medical professional when they become available.

Fax Maybe

Faxing is still a secure way of communication, used a lot in hospitals and clinical settings as long as it is done over a secured fax/phone line.

Text Message Maybe

There are applications available which allow for secure transmission of text as long as all communication stays within the application. The user must make sure that the application used is complicate with local, state, federal regulations and the university’s policies.

Social Media No

Using social media accounts and social media messaging tools when exchanging confidential or classified information is prohibited unless authorized by written consent.

Last Published: Sep 25, 2018