Explore our Topics:

What you need to know about the NIST privacy framework

NIST's technology-agnostic platform improves privacy through enterprise-wide risk management.
By admin
Apr 21, 2022, 7:00 AM

Even though a comprehensive federal privacy law isn’t likely to be enacted in 2022, individual states such as California, Colorado and Virginia already have privacy legislation in place. Meanwhile, bipartisan calls for greater privacy protection are stoking momentum across the country, with additional state laws expected to come online this year. 

Further, it’s been more than eight years since the last major update to the Health Insurance Portability and Accountability Act (HIPAA). Industry watchers widely anticipate changes to the HIPAA Privacy Rule during 2022 to strengthen information-access rights and reduce administrative burden for HIPAA covered entities.

Related story: HIPAA update expected to raise new tech compliance questions

Forward-thinking healthcare organizations need to be ready for a dynamic privacy environment; however, they don’t have to start from scratch. The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, offers a free Privacy Framework “intended to be used by organizations of all shapes, sizes and jurisdictions,” according to Dylan Gilbert, a privacy policy advisor at NIST. The technology-agnostic platform improves privacy through enterprise-wide risk management.

How the NIST Privacy Framework works

The NIST Privacy Framework centers on a core of activities and outcomes that enable dialogue about managing privacy risk. The framework presents a menu of options that guide the organization to focus on its highest privacy priorities. It creates a current-status profile and establishes a target profile for “where the organization wants to be,” said Gilbert. As the entity moves from current to target profiles, management considerations emerge in the following areas:

  • organizational goals and roles in the data processing ecosystem;
  • legal and regulatory requirements and best practices;
  • risk management priorities; and
  • privacy needs of individuals.

“It’s not meant to be a checklist,” explained Gilbert. “It’s meant to be a flexible tool that reflects what’s important to your organization right now when it comes to privacy risk management.” 

Related story: With consumer data privacy in focus, making the case for NIST over HIPAA

As such, the framework brings value by building customer trust in how data is handled while fulfilling compliance obligations and facilitating intra-organizational communication. In practical application, the framework ensures that the organization informs and trains appropriate personnel on roles and responsibilities; processes data in a way that limits identification of individuals; provides mechanisms to accommodate individuals’ data processing preferences; and actively manages access to data and devices.

Where to start improving your data privacy program 

Healthcare entities in the early stages of creating or improving a data privacy program can find immediate help through NIST’s quick-start guide, which explains key functions as highlighted below:

  • Mapping out data flow through your systems from collection to disposal. This leads to a privacy risk assessment, which identifies data processing activities that could create problems for individuals (e.g., embarrassment, discrimination, or economic loss) and any resulting impact to the organization (e.g., loss of customer trust or reputational harm).
  • Regularly reassessing if privacy risks have changed.
  • Thinking through ways to disassociate data from individuals and devices while still meeting caregiving and business objectives.
  • Establishing data-protection measures such as network/device access controls, encryption, backups, security software upgrades, and policies for safe disposal of data and devices.
  • Clearly communicating data processing activities to internal and external audiences, supplemented by transparent notices, reports and alerts.

“The Privacy Framework is a living document,” Gilbert summarized. “It gets the right people in the room and gives them a common language to talk to each other.” 

In doing so, it highlights the questions that need to be answered, identifies required activities while setting clear roles and responsibilities, and helps the organization evaluate whether it has sufficient resources and workforce capabilities to meet its goals.


Frank Irving is a Philadelphia-based content writer and communications consultant specializing in healthcare, technology and sports.

Show Your Support


Newsletter Logo

Subscribe to our topic-centric newsletters to get the latest insights delivered to your inbox weekly.

Enter your information below

By submitting this form, you are agreeing to DHI’s Privacy Policy and Terms of Use.