As the landscape of data privacy rules and risks continue to change and evolve, organizations may consider using a privacy framework to assist in implementing, measuring, and improving their privacy programs.

The NIST Privacy Framework, modeled after the NIST Cybersecurity Framework, contains core functions and controls that can help an organization identify and manage risks to the privacy of data, regardless of the size of the organization, jurisdiction or type of data maintained by the organization.

Although use of a framework is not a substitute for health care organizations' compliance obligations under the HIPAA Rules, use of the NIST Privacy Framework is a good place for organizations to begin reviewing data holistically instead of as segments (e.g. health information, employee information, etc.).

"Healthcare organizations face a growing number of challenges related to protecting the privacy of data and ensuring certain rights of patients, members, and consumers," said Andrew Mahler, director of privacy, compliance and managed services at CynergisTek. "We often hear from our healthcare clients that the patchwork of potentially applicable legislation can be both difficult to track as well as successfully implement."

Mahler, who will speak on the topic of privacy frameworks at HIMSS22, explained there has also been increased regulatory enforcement within the healthcare sector regarding the rights of individuals to request access to their data.

"Often, a variety of separate offices and individuals have responsibility for responding to individual rights requests, and it can be challenging for organizations to provide effective oversight over those processes," he said.

"While implementing a framework can be useful, it can also take time and resources, and organizations may have difficulty reaching a consensus about which frameworks to use, or whether to use one at all."

Compliance, privacy, information security, legal and other key stakeholders within an organization will need to carefully consider the types of data it manages, as well as the regulatory mandates and risks posed to the data and systems.

In addition, routine and targeted assessments, audits and reviews can be helpful to manage risks, as long as the organization is up-to-date with all relevant privacy legislation and enforcement activity.

"As threats to the privacy and security of data continue to rise, so does the legislation that requires additional protective and responsive mechanisms," Mahler said.

"Organizations should prepare for new and unpredictable risks to the privacy of data by understanding the types of data being managed, the jurisdictional rules and laws that apply to the data, and enforcement trends."

Mahler, along with Joseph Dickinson, partner at Michael Best, will address various data privacy frameworks in the session "Security and Data Privacy: How a Privacy Framework Can Help." It's scheduled for Wednesday, March 16, from 4-5 p.m. in room W311E.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209