HITRUST issues draft privacy controls

The Health Information Trust Alliance (HITRUST) has issued proposed changes to its Common Security Framework (CSF) to better protect patient data.

Developed by a group of larger healthcare companies, HITRUST aims to create a unified security standard specifically tailored for the healthcare industry. Its draft privacy controls, an effort to keep the framework up to date, include 125 specific changes affecting 35 controls in the CSF. The controls are based on the HIPAA Privacy Rule and recommendations from the National Institute of Standards and Technology (NIST) and some other standards bodies.

The major areas of focus are confidentiality, notice, consent and disclosure requirements. The organization wanted to help organizations better align their security and privacy programs and provide an integrated approach for protecting health information.

"Given the multitude of federal and state regulations with privacy and security requirements, having a fully integrated privacy and security framework provides both privacy and security professionals advantages over disparate approaches," Kimberly Gray, chief privacy officer of IMS Health, said in an announcement. "By identifying the controls and requirements that support both disciplines, organizations are able to more effectively manage their information protection programs."

Its Privacy Working Group took into account both risk and cost factors that organizations face while ensuring the privacy of data. The group plans to add the changes to its MyCSF tool, which organizations can use to perform privacy assessments, compliance reporting and remediation, and is taking comments on the proposed changes through Nov. 15.

The organization first released the security framework in 2008 and has been revising it periodically since. Most recently it issued guidance to help healthcare organizations set priorities for cybersecurity preparedness.

A paper published in the Journal of the American Medical Informatics Association also called for a privacy framework for health social networking sites, with researchers saying people too often don't have enough information to make privacy-sensitive decisions and are likely to trade long-term privacy for short-term benefits.

To learn more:
- find the summary of changes (.pdf)
- read the announcement
- submit comments here