HITRUST issues draft privacy controls

The Health Information Trust Alliance (HITRUST) has issued proposed changes to its Common Security Framework (CSF) to better protect patient data.

Developed by a group of larger healthcare companies, HITRUST aims to create a unified security standard specifically tailored for the healthcare industry. Its draft privacy controls, an effort to keep the framework up to date, include 125 specific changes affecting 35 controls in the CSF. The controls are based on the HIPAA Privacy Rule and recommendations from the National Institute of Standards and Technology (NIST) and some other standards bodies.

The major areas of focus are confidentiality, notice, consent and disclosure requirements. The organization wanted to help organizations better align their security and privacy programs and provide an integrated approach for protecting health information.

"Given the multitude of federal and state regulations with privacy and security requirements, having a fully integrated privacy and security framework provides both privacy and security professionals advantages over disparate approaches," Kimberly Gray, chief privacy officer of IMS Health, said in an announcement. "By identifying the controls and requirements that support both disciplines, organizations are able to more effectively manage their information protection programs."

Its Privacy Working Group took into account both risk and cost factors that organizations face while ensuring the privacy of data. The group plans to add the changes to its MyCSF tool, which organizations can use to perform privacy assessments, compliance reporting and remediation, and is taking comments on the proposed changes through Nov. 15.

The organization first released the security framework in 2008 and has been revising it periodically since. Most recently it issued guidance to help healthcare organizations set priorities for cybersecurity preparedness.

A paper published in the Journal of the American Medical Informatics Association also called for a privacy framework for health social networking sites, with researchers saying people too often don't have enough information to make privacy-sensitive decisions and are likely to trade long-term privacy for short-term benefits.

To learn more:
- find the summary of changes (.pdf)
- read the announcement
- submit comments here

Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine health research database project has enrolled 230,000 participants.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.