Confidential & Sensitive Information Policy for Healthcare Professionals: Applying Rules to Manage Risks, Records, and Regulations

August 3, 2020


Sensitive Information Policy for Healthcare Professionals


The healthcare industry is obligated to protect the privacy of patients, employees, and other internal and external parties. To that end, best practices call for the establishment of a Confidential & Sensitive Information Policy, governing the acquisition, use, disclosure, retention, and deletion of medical information and business records. Policy should apply to hard-copy documents, verbal conversations, and electronic communications conducted via employer-provided and personally owned systems, sites, accounts, and devices.


Confidential & Sensitive Information Means More than PHI/EPHI


U.S. healthcare organizations are well-aware of HIPAA Privacy and Security Rules governing the handling of protected health information (PHI) and electronic protected health information (EPHI). Specifically, healthcare entities and their business associates must shield confidential information related to patient health status, medical care, treatment plans, and payment issues. Unauthorized use or exposure of PHI/EPHI could trigger HIPAA audits, privacy lawsuits, financial penalties, employee dismissals, and civil or criminal penalties.


Are you equally familiar with the legal risks and rules associated with personally identifiable information (PII)? PII is sensitive information that, when used alone or in combination with other relevant data, can identify or trace an individual (patient, employee, job applicant, volunteer, vendor). PII includes names, birthdates, phone numbers, and Social Security numbers among other personal information that could harm one if disclosed to the wrong people. Data breach notification laws in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands require healthcare companies to protect PII from data breaches and theft.


Use Confidential & Sensitive Information Policy, supported by employee education and technology solutions, to help ensure the privacy of confidential PHI/EPHI and the integrity of sensitive PII.


Business Records Keep Healthcare Companies Up & Running


Business records are another form of sensitive information that healthcare companies are obligated to manage effectively. Business records provide evidence of business-related activities, events, and transactions. Business records are retained according to their ongoing business, legal, operational, and historic value. Business records focus on content—the value and future use of information—not format or storage mechanism.


Business records are critical to day-to-day activities including decision making, financial planning, patient relations, human resources management, and legal compliance. Business records can take the form of traditional hard-copy letters, proposals, contracts, and other information we typically think of as paper records. Business records can include electronic messages, posts, and publications generated by email, text messages, instant messages, social media, and other electronic communications tools.


Distinguish Between Records and Non-Records


The ability to accurately distinguish between business records and non-records (nonessential, purely personal, or otherwise insignificant non-business-related information) could have an enormous impact on your healthcare organization in the event of a lawsuit or HIPAA audit. Not every electronic message created, acquired, used, or retained is a business record. Messages that are unrelated to business are non-records.


Here’s the difference:


  • Business Record - An email from HR to employees, announcing staff layoffs and spelling out terms, would be a business record. It memorializes—provides evidence of—a business event that impacts your organization, employees, and future. As a business record, the layoff email could be used as evidence in unemployment compensation claims, severance package negotiations, age discrimination lawsuits, or other legal actions. As a business record, it must be preserved, protected, produced, and purged in accordance with your Record Retention Policy.


  • Non-Record - An email from one employee to another, announcing a child’s college graduation, would be a non-record. A purely personal communication between work friends, this email does not provide evidence of business-related activities, events, or transactions. It does not have ongoing business, legal, operational, or historic value. It does not need to be retained or relinquished to the court in response to a subpoena.


Adopt the 3Es of Confidential & Sensitive Information Management


Legal and regulatory compliance requires healthcare entities and their business associates to shield PHI, EPHI, PII, and business records from unauthorized exposure, alteration, or destruction.


To help reduce risks and increase compliance, employers in the healthcare arena should adopt the 3Es of confidential and sensitive information management:


  1. Establish best practices-based Confidential & Sensitive Information Policy and Record Retention Policy, as well as a record retention and deletion schedule.

  2. Educate employees about record risks, organizational rules, and individual roles. Define confidential and sensitive information. Teach employees to distinguish between business records and non-records. Ensure that each type of information is handled in compliance with up-to-date policies and procedures.

  3. Enforce policies through a combination of disciplinary action, workforce training, and best-in-class technology solutions designed to manage content, use, and records.


Download Your Free NetGovern Policy Package for the Healthcare Industry


To help healthcare entities develop and implement effective, compliant electronic policies and procedures governing information privacy and record retention, the technology and policy experts at NetGovern and the ePolicy Institute have created the NetGovern Policy Package for the Healthcare Industry. The best practices-based sample policies, whitepapers, and guidelines contained in the NetGovern Policy Package are designed to help you minimize risks, manage records, and maximize compliance. Register to download these valuable tools—at no cost:

  • Confidential & Sensitive Information Policy for the Healthcare Industry

  • Record Retention Policy for the Healthcare Industry

  • Record Retention Guidelines for the Healthcare Industry

  • Whitepaper: Record Retention Rules for the Healthcare Industry


Download your free netgovern policy package for the healthcare industry


Nancy Flynn is the founder of The ePolicy Institute, the world’s leading electronic policy writing and training firm. Since 1998, employers worldwide have relied on the ePolicy Institute to help ensure compliance and reduce risks through the implementation of best practices-based ePolicies, supported by effective employee education. An industry pioneer, Nancy Flynn is the author of The e-Policy Handbook, the first book to address electronic policies and procedures in the workplace. Her other titles include The ePolicy Toolkit, The Social Media Handbook, and Writing Effective E-Mail. Trusted for her knowledge and integrity, Nancy Flynn is a go-to media source who serves as an expert witness in policy-related litigation. Visit to learn more.