Predefined Data Classifications

Related Policies, Procedures and Resources

Data Classification Rule
Data Protection Rule

While the responsibility to classify data rest with the data steward there are some predefined types of sensitive and restricted/PHI institutional data. Based upon state, federal, and contractual requirements that UAB is bound by, the following information assets have been predefined as Restricted or Sensitive data and must be protected:


Personally Identifiable Education Records-Covered under FERPA

Personally Identifiable Education Records are defined as any education records that contain one or more of the following personal identifiers:

       Student Number

       Grades, GPA, Credits Enrolled


       A list of personal characteristics or any other information that would make the student’s identity easily traceable


Personally Identifiable Financial Information (PIFI) - Covered under GLBA

For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

       Social security number

       Government issued driver’s license number

       Date of Birth

       Financial account number in combination with a security code, access code or password that would permit access to the account

Payment Card Information- Covered under PCI DSS

Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

       Cardholder name

       Service code

       Expiration date

       CVC2, CVV2 or CID value

       PIN or PIN block

       Contents of a credit card’s magnetic stripe

Protected Health Information (PHI) - Covered under HIPAA

PHI is defined as any “individually identifiable” information that is stored by a Covered Entity, and related to one or more of the following:

       Past, present or future physical or mental health condition of an individual.

       Provision of health care to an individual.

       Past, present or future payment for the provision of health care to an individual.

PHI is considered “individually identifiable” if it contains one or more of the following identifiers:


       Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)

       All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)

       Telephone/Fax numbers

       Electronic mail addresses

       Social security numbers

       Medical record numbers

       Health plan beneficiary numbers

       Account numbers

       Certificate/license numbers

       Vehicle identifiers and serial numbers, including license plate number

       Device identifiers and serial numbers

       Universal Resource Locators (URLs)

       Internet protocol (IP) addresses

       Biometric identifiers, including finger and voice prints

       Full face photographic images and any comparable images

       Any other unique identifying number or characteristic that could identify an individual

If the health information does not contain one of the above referenced identifiers and there is no reasonable basis to believe that the information can be used to identify an individual, it is not considered “individually identifiable” and; as a result, would not be considered PHI.

Note:  Any information classified differently per regulation or policy will be protected at the highest classification level.  For example, social security number as part of a student’s record.  The social security number is not classified as Sensitive Data under FERPA.  It is classified as Restricted Data as Personally Identifiable Information (PII) and under GLBA.
Last modified on December 15, 2017