Skip NavigationSkip to Content

Sensitive Information Guidance

What is considered sensitive information?

Within HHS, sensitive information is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under The Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA). Information technology (IT) security personnel and system owners can equate this definition of sensitive information with data that has a FIPS 199 security impact level of moderate or high for the Confidentiality security objective. This definition of sensitive information is media neutral, applying to information as it appears in either electronic or hardcopy format.

Information can be considered sensitive on its own merit, or it can become sensitive in certain contexts or when aggregated with other information. Context is particularly important when evaluating the sensitivity of PII3, a point that is addressed by OMB as the “best judgment standard.”

 

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories: Volume 2: Appendices, is a useful reference point for determining if information is sensitive. The document’s main purpose is to provide a comprehensive listing of information types with recommended security impact levels (e.g., low, moderate, or high) for Confidentiality, Integrity, and Availability. While the document does not explicitly identify sensitive information, it acknowledges the direct relationship between confidentiality6 and sensitivity7. From this, two general rules can be derived:

  1. A recommended security impact level of moderate or high assigned to the Confidentiality security objective is a reasonable indicator that the information type is sensitive.
  2. In cases where NIST recommends a security impact level of low for Confidentiality, there may be a compelling business reason to elevate the impact level to at least moderate, thus flagging the information type as sensitive.