“Patients are hurting, and we sometimes feel frustrated with the barriers we face to meeting their needs, in part due to the demands required to adequately protect their data privacy.”

Stan Crosley, CIPM, CIPP/US

While healthcare privacy laws aim to protect patients, healthcare industry experts will tell you they sometimes can get in the way of doing what healthcare professionals exist to do: treat patients, ease suffering, save lives. Given that reality, an updated framework aims to alleviate some of the difficulties inherent in compliance with various healthcare privacy and security laws, and experts hope that means good news for patients, too.

The Health Information Trust Alliance (HITRUST) has today announced the addition of privacy controls to its HITRUST Common Security Framework (CSF), which will be released later this month. The addition aims to create an integrated privacy and security framework that meets the regulatory requirements of the U.S. healthcare industry, namely the Health Information Portability and Accountability Act (HIPAA), according to a press release announcing the new controls.

The new controls were developed following reviews of various privacy frameworks, standards and regulations by the HITRUST privacy working group and aim to better align healthcare organizations’ security and privacy programs under HIPAA. While the CSF framework covers privacy and security, organizations will have the option to obtain certification for privacy, security or both, according to their operational and compliance needs.

“Given the multitude of federal and state regulations incorporating privacy and security requirements, a fully integrated privacy and security framework provides privacy and security professionals advantages over disparate approaches, allowing the organizations to effectively manage their information protection program,” said Michelle Nader, ethics and compliance and chief privacy officer at Anthem. “By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy or both.”

Stan Crosley,  CIPP/US, CIPM, director, IU CLEAR Health Information, and privacy counsel at Drinker Biddle, said there’s never been a time when innovation in health data privacy is more needed.

“We are faced with the trifecta of mounting legal and regulatory burdens, an overwhelming abundance of data from an infinite number of sources and the desperate need for innovative treatment and research to combat pervasive chronic illness and deadly disease,” Crosley told the The Privacy Advisor. “Patients are hurting, and we sometimes feel frustrated with the barriers we face to meeting their needs, in part due to the demands required to adequately protect their data privacy.”

Crosley said HITRUST’s self-service SaaS model, in which entities can license access to the common security framework, has been well-received by healthcare providers and health plans, and incorporating privacy controls into this framework will “no doubt increase the ease with which these same entities can achieve better compliance with legal and regulatory requirements affecting healthcare providers.”

K Royal, CIPP/US, CIPP/E, privacy counsel for Align Technology, said the addition of privacy controls to the HITRUST CSF is a welcome expansion and seemingly a natural one that recognizes privacy’s intersection with security.

“One of the biggest needs we have as an industry is to create a common foundation among vendors and customers, public and private entities and large and small employers,” Royal said. “The CSF provides a solid basis already for security controls. Adding privacy controls moves the CSF toward becoming a compliance lexicon.”

While the framework hasn’t been released yet, Crosley said he’s hopeful that given HITRUST’s “blue ribbon industry privacy experts” on its board and in its working group, "the privacy controls have been developed appropriately and with emphasis on flexibility.”

After all, the primary objective of stakeholders in the healthcare ecosystem is not to protect the privacy and security of data but in fact to use health data to provide “appropriate and tailored therapy and to undertake critical research” in the name of easing suffering and improving patients’ quality of life.

“Privacy and the use of health data for these primary purposes should be completely compatible. But since the passage of HIPAA, this compatibility has been elusive,” Crosley said. “Done correctly, privacy and data security will not only appropriately protect patient privacy against actual harms, it will also drive, not just enable but drive, innovation in treatment and research.”

He added if the HITRUST framework can achieve the goal of more protection, more efficiently, with more flexibility, then maybe healthcare workers can focus more on saving patients and less on worrying about data breaches.

Kirk Nahra, CIPP/US, Wiley Rein partner and chair of the firm's privacy practice and co-chair of its healthcare practice, said HITRUST has been an important participant in bringing useful information on security to the healthcare industry and trying to make sense of the general standards of the HIPAA Security Rule and all the other security frameworks healthcare companies have to worry about.

“By bringing privacy into this concept, they’ve played an important role in guaranteeing the link between privacy and security and giving healthcare companies a useful and efficient way of improving their overall compliance approach,” Nahra said.