HITrust offers strategies for privacy, security programs

The Health Information Trust Alliance, or HITrust, is floating new elements to add to its effort to establish a single standard for privacy and data security.

HITrust's Privacy Working Group developed the Common Security Framework so healthcare organizations could have a uniform approach when establishing privacy and security programs. The newly announced controls encourage the flow of health data from electronic health records and interoperable health information exchanges, while remaining focused on patient privacy.

The draft update to the framework—which can be downloaded here (PDF)—includes 125 changes that affect 35 controls involving confidentiality, notice, consent and disclosure requirements.

The most visible change is that the term “security” is in many places replaced with “protection,” reflecting the emphasis on sharing patient data among providers electronically. There's also a new provision calling for organizations to implement a process for receiving complaints and questions from patients regarding privacy practices.

The need for transparency is stressed further by a new requirement for public notice of policy changes that could affect the privacy and collection or sharing of personal data.

“Given the multitude of federal and state regulations with privacy and security requirements, having a fully integrated privacy and security framework provides both privacy and security professionals advantages over disparate approaches,” IMS Health's global chief privacy officer Kimberly Gray said. “By identifying the controls and requirements that support both disciplines, organizations are able to more effectively manage their information protection programs.”

IMS is a member of HITrust, a Frisco, Texas-based organization that formed in 2007 and includes health plans, providers, pharmacy benefit managers, IT vendors and data-miners. The consortium establishes programs to improve health data security. They have regularly updated the security framework since its inception—most recently last year with version 5.0.

“From the beginning, HITrust has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it; privacy was always a component of the initial vision,” HITrust CEO Daniel Nutkis said. “Seven years ago when we began development of the CSF, we made a decision to focus on development and adoption of the security controls, recognizing this as the area where organizations needed greater assistance. Now, with broad adoption achieved, we can complete the vision for an integrated framework.”

Member comments on the changes can be submitted here, through Nov. 15. HITrust plans to include the changes in next year's CSF overhaul, as well as add them to the HITrust MyCSF portal, which would allow members to conduct their own privacy assessments and compliance reporting.

Follow Ashok Selvam on Twitter: @MH_aselvam