What you need to know about the NIST privacy framework
Even though a comprehensive federal privacy law isn’t likely to be enacted in 2022, individual states such as California, Colorado and Virginia already have privacy legislation in place. Meanwhile, bipartisan calls for greater privacy protection are stoking momentum across the country, with additional state laws expected to come online this year.
Further, it’s been more than eight years since the last major update to the Health Insurance Portability and Accountability Act (HIPAA). Industry watchers widely anticipate changes to the HIPAA Privacy Rule during 2022 to strengthen information-access rights and reduce administrative burden for HIPAA covered entities.
Related story: HIPAA update expected to raise new tech compliance questions
How the NIST Privacy Framework works
The NIST Privacy Framework centers on a core of activities and outcomes that enable dialogue about managing privacy risk. The framework presents a menu of options that guide the organization to focus on its highest privacy priorities. It creates a current-status profile and establishes a target profile for “where the organization wants to be,” said Gilbert. As the entity moves from current to target profiles, management considerations emerge in the following areas:
- organizational goals and roles in the data processing ecosystem;
- legal and regulatory requirements and best practices;
- risk management priorities; and
- privacy needs of individuals.
“It’s not meant to be a checklist,” explained Gilbert. “It’s meant to be a flexible tool that reflects what’s important to your organization right now when it comes to privacy risk management.”
As such, the framework brings value by building customer trust in how data is handled while fulfilling compliance obligations and facilitating intra-organizational communication. In practical application, the framework ensures that the organization informs and trains appropriate personnel on roles and responsibilities; processes data in a way that limits identification of individuals; provides mechanisms to accommodate individuals’ data processing preferences; and actively manages access to data and devices.
Where to start improving your data privacy program
Healthcare entities in the early stages of creating or improving a data privacy program can find immediate help through NIST’s quick-start guide, which explains key functions as highlighted below:
- Mapping out data flow through your systems from collection to disposal. This leads to a privacy risk assessment, which identifies data processing activities that could create problems for individuals (e.g., embarrassment, discrimination, or economic loss) and any resulting impact to the organization (e.g., loss of customer trust or reputational harm).
- Regularly reassessing if privacy risks have changed.
- Thinking through ways to disassociate data from individuals and devices while still meeting caregiving and business objectives.
- Establishing data-protection measures such as network/device access controls, encryption, backups, security software upgrades, and policies for safe disposal of data and devices.
- Clearly communicating data processing activities to internal and external audiences, supplemented by transparent notices, reports and alerts.
“The Privacy Framework is a living document,” Gilbert summarized. “It gets the right people in the room and gives them a common language to talk to each other.”
In doing so, it highlights the questions that need to be answered, identifies required activities while setting clear roles and responsibilities, and helps the organization evaluate whether it has sufficient resources and workforce capabilities to meet its goals.
Frank Irving is a Philadelphia-based content writer and communications consultant specializing in healthcare, technology and sports.