START WITH ASSET CLASSIFICATION
Not all CRM data falls under HIPAA guidelines. The purpose of asset classification is to ensure a clear policy is in place for classifying data. Classifications are not defined by HIPAA, they are company specific. For instance, an organization may decide to classify CRM data into public data, private data, critical data, and protected data. In this definition protected data would be actual data requiring protection under HIPAA. Each CRM system data asset within an organization would be classified by the security team and typically assigned an owner. The owner is an individual responsible for ensuring the private data is appropriately protected.