Data Classification and Data Inventory - What's the Difference?As the April 14th, 2003 deadline for HIPAA Privacy compliance draws nearer, the healthcare industry' focus on achieving compliance intensifies. Throughout all of the staff meetings, journal articles, consultant discussions, and other HIPAA resources, you have probably heard the terms "Data classification" and "Data inventory" For many healthcare organizations, these two different initiatives, although very different, can seemingly meld into one without some simple explanation. This can be especially true if all of the work is being performed by internal personnel and by having the same group working on both projects simultaneously. To give a bit of background for both privacy/security initiatives, we can first take a look at what they have to do with HIPAA compliance, which is what the final goal is anyway. Data classification' objective is to establish different classifications of information that the healthcare organization handles and deals with on a day-to-day basis. Gaining an understanding of the different kinds of information, their sensitivity, and the risks associated with that sensitivity is what data classification is all about. These classifications are then used to put the information into different buckets of sensitivity, with varying degrees of security protection measures around them for security and privacy reasons. On the other hand, data inventory, although very similar in name, has a totally different objective. A data inventory' objective is to map the information flow of each piece of information that a company deals with. This is not only to the document level, but also down to the field level of each document processed by the organization that includes sensitive healthcare information. For instance, a data inventory would follow and document the flow of an insurance claim entering an HMO, the different fields contained in the claim, what information systems and business units were involved, and where the information was finally stored or transmitted. The actual effort required to complete the different projects is also very different. Typically a data classification project is far less resource intensive and can be done in a reasonable amount of time, including personnel training. Depending on the level of training, the level of detail desired from the organization, and the overall size of the organization, a data classification project can take anywhere from 5 to 25 weeks. A data inventory' life span will drastically differ depending on the size of the organization and its role in the healthcare process. Document and information intensive organizations that handle loads of processing, such as claims, payment, etc. will experience a much longer data inventory project life cycle than that of a smaller, more provider based company. This large difference in project life cycles is due to the detailed examination of all documents used by the healthcare organization. In a data inventory, a sample of business units and the daily information they encounter is simply not enough. The detail required for a data inventory project is what drives the increased time to delivery, internal and external resource requirements, and overall capital expenditures. As you can see the differences between the two type of data analysis and risk reduction are drastically different. Although both are very disparate, they often compliment one another once finished. To give an example, a data classification normally gives examples for each business unit and each classification. A claims department of a payer will have access to medical claims, patient information, etc. This information would be classified as the most sensitive in the organization, which is usually considered to be "Highly confidential"or "Restricted."This information is put into a matrix with the associated procedures around what to do with a piece of information that resides in this classification bucket. One would have to adhere to special protection measures for this type of highly sensitive information. The data inventory piece can help feed the data classification's bank of examples to fulfill the complete listing and classification of all information possessed, processed, and transmitted by a healthcare organization. Since the data inventory simply does what it says - takes an inventory, the data classification project will help determine what protection measures to be used with each piece of information, their business departments, and the systems involved with the transmission, processing, and storage of the information. |
|||||||||
|
|
|||||||||
| ©2001-2003 by Itillious, Inc. All
Rights Reserved. |
||||