Start with Asset Classification
Not all CRM data falls under HIPAA guidelines. The purpose of asset classification is to ensure a clear policy is in place for classifying data. Classifications are not defined by HIPAA, they are company specific. For instance, an organization may decide to classify CRM data into public data, private data, critical data, and protected data. In this definition protected data would be actual data requiring protection under HIPAA. Each CRM system data asset within an organization would be classified by the security team and typically assigned an owner. The owner is an individual responsible for ensuring the private data is appropriately protected.
Asset classification is important because it provides clear guidance for what level of protection an asset requires. Without classification it would be very difficult to ensure HIPAA compliance of your CRM system, because there would be no guidance for what data to protect. To be “safe”, an organization might decide that all their data would need to be HIPAA compliant, and that just is not practical. For instance, an organization’s public web site data, which in the above classifications would reside under public classification, can not fall under HIPAA compliance, because it is created for the specific purpose of sharing on a public web site. This classification is essential for maintaining HIPAA compliance.
ActivePrime has worked hard to make sure we can help with these CRM system security challenges and rules. We are dedicated to making the healthcare experience as positive as we can. We want to help both customers and organizations maximize their investment in CRM systems. We want all to be covered by health care insurance and support.
This post is part of the ActivePrime HIPAA Compliance Blog Series, a series of articles designed to give healthcare organizations technical insight and techniques upon which to build a HIPAA compliant organization. For the introduction to the series and other posts in the series, please click here.