Information Technology Reference
In-Depth Information
table 8.1
priacy Qualii
er examples
Qualifier
Description
Personally identifiable
information (PII)
“Any information that identifies or can be used to
identify, contact, or locate the person to whom
such information pertains.”
Personal health
information (PHI)
“The Privacy Rule defines PHI as individually
identifiable health information, held or maintained
by a covered entity or its business associates acting
for the covered entity, that is transmitted or
maintained in any form or medium (including the
individually identifiable health information of non-
U.S. citizens).”
Electronic personal health
information (EPHI)
The HIPAA Final Security Rule (FSR) goes to some
length to carefully define electronic media.
Personally identifiable
transactional data
Information that describes your online activities
such as the Web sites that you have visited,
addresses to which you have sent e-mail, files that
you have downloaded, and other information
revealed in the normal course of using the Internet.
8.8.2.2 Internal Privacy Qualifiers
Organizational policies and standards that address privacy include privacy state-
ment, security policy, privacy policy, and HR policies. Motivations behind these
policies and procedures include legislative and regulatory compliance, liability
management, proactive litigation management, customer trust, and reflections of
such trust in the balance sheet line item
goodwill
.
Note that litigation management includes a review of the potential laws and
guidelines that govern litigation should circumstances come to that end. For exam-
ple, chapter 8 of the Federal Sentencing Guidelines, “Sentencing of Organizations,”
provides for the calculation of culpability. The guidelines provide insight on how
a judge may determine guilt as well as the extent of guilt, the latter having a direct
correlation with the extent of fine or jail time. Proactively managing for the poten-
tial of litigation is good business practice and should be part of a comprehensive
IA
2
approach.
8.8.3
Privacy IA
2
Perspective
Privacy should not be a hidden attribute under confidentiality; this is why the
IA core principles separate out privacy as a distinct principle. Many organizations
formulate and implement a security management program. Privacy deserves the
