It may be more helpful to view PHI in the context of an information classification scheme – which every information security program should include. HIPAA defines PHI as confidential. Security is defined as the assurance of confidentiality, integrity and availability of protected information assets. On the confidentiality scale, an organization may define public data, private or corporate data, confidential data and highly confidential data. Each of these classifications should have its own appropriate set of access and handling controls. Typically, the “confidential” classification includes information such as PHI, payroll and employee data, some legal documents (such as a pending lawsuit), and sometimes business strategy planning documents.