1.    Restricted -- includes Confidential and Internal-use-only

a.   Confidential. This includes information required by statutory or common law a high level of protection against unauthorized disclosure, modification, destruction, and use. Confidential information includes, without limitation, the following:

 i.   Patient medical or billing records and Plan Member records including those covered by the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA)

ii.  Student records, including those protected under the Family Educational Rights and Privacy Act (FERPA)

iii.  Financial information, including that covered under the Gramm-Leach-Bliley Act (GLBA)

iv.  Employment records, including pay, benefits, personnel evaluations and other staff records

v.   Research data involving human subjects that are subject to the Common Rule (Federal Policy for the Protection of Human Subjects, 46 CFR 101 et seq)

vi.   Social Security Numbers. 

b.    Internal-use-only. This includes information that requires protection against unauthorized use, disclosure, modification and/or destruction. Internal-use-only information includes, without limitation, the following:

i.  Certain sensitive research data, including information related to a forthcoming or pending patent application

ii.  Johns Hopkins operations, finances, legal matters, audits, or other business or academic activities of a sensitive nature

iii.  Sensitive information related to donors and potential donors

iv.  Information security data, including passwords and information about security-related incidents occurring at Johns Hopkins

 v.  Internal memos, correspondence, and other documents or information whose distribution is limited as intended by the author and/or administrator.