FRISCO, Texas–The Health Information Trust Alliance (HITRUST) announced today the new HITRUST De-Identification Framework, developed to improve patient privacy, enhance innovation and streamline the appropriate use of healthcare data. The framework meets the need of healthcare organizations for greater guidance and consistency in the de-identification and use of de-identified healthcare data, while simplifying and streamlining the process. De-identification is a key method for protecting privacy by preventing a patient’s identity from being connected with health information and is a core component of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
“HITRUST believes clearer guidelines in the form of standards for the uses of de-identified data and managing associated risks are needed”
The HITRUST De-Identification Framework is fully aligned and mapped to the HITRUST Common Security Framework (CSF), the most comprehensive and widely adopted information security and privacy framework for the healthcare industry. The CSF is used by hospitals, health plans and other healthcare organizations as a certifiable, scalable and efficient approach to regulatory compliance and risk management. Now in its seventh major release, HITRUST continues to innovate and enhance the CSF ensuring it meets the ongoing needs of the healthcare industry.
Currently, many healthcare organizations remain uncertain about the de-identification process and the use of de-identified data. The new HITRUST De-Identification Framework offers standards and controls, consistent with HIPAA, to enhance the understanding of de-identification, clarify what qualifies as de-identified data, and to promote the use of de-identified data – leading to better healthcare for all.
HITRUST will hold a webinar on March 24th to brief the industry on this development and simultaneously release a draft of the new framework for an open comment period of 30 days.
“HITRUST believes clearer guidelines in the form of standards for the uses of de-identified data and managing associated risks are needed,” said Daniel Nutkis, CEO, HITRUST. He added, “Since the de-identification process needs to take into consideration the environmental safeguards in place housing the de-identified data, the HITRUST CSF was the logical vehicle to align it with.”
In addition to the new framework, HITRUST is providing resources, such as methodologies and white papers, for organizations to develop and assess their programs, as well as subject matter experts on topics such as the risks of re-identification.
The HITRUST De-Identification Framework includes the following key components:
- Use Cases: Defines the multiple levels of anonymization and recommends specific use cases for each variant, such as end-to-end testing of automated clinical workflows and data mining for clinical research.
- Criteria: Defines criteria for evaluating de-identification methodologies, estimating re-identification likelihood and criteria for certifying expertise in these methodologies.
- Technical Controls Framework: Standards for mitigating the risks associated with the use, storage and maintenance of a data. The controls will create a baseline security framework for de-identified data and will include controls to mitigate re-identification risks.
- HITRUST CSF Mappings: Mappings to the HITRUST CSF as it relates to de-identified data.
“These criteria create a clear framework for healthcare organizations that can be used to implement and evaluate a de-identification program. Organizations aligning to these guidelines are better able to protect patient privacy. At the same time, de-identification helps make the healthcare system work better for everyone by paving the way for innovation and increased public health benefits. We envision CSF Assessors will also assess against the framework,” said Kimberly Gray, Chief Privacy Officer – Global, IMS Health.
“With this comprehensive De-ID framework tied to the CSF, we can increase the adoption of best practices for de-identification, and allow more responsible protection and sharing of health information,” said Khaled El Emam, CEO, Privacy Analytics. “The framework is based on methods that are currently used in the field and have been shown to be robust and ensure high data quality.”
“De-identification is an increasingly important and challenging element in the evolution of health care, in the United States and globally. Because of the important societal benefits of appropriate de-identification, the HITRUST effort is an essential step forward in building an effective and consistent framework for these practices,” said Kirk Nahra, ESQ, Partner, Wiley Rein LLP.
To register for the HITRUST De-Identification Framework webinar visit: https://hitrustalliance.net/de-identification/
Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.
HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net.