National Institute of Standards and Technology (NIST) is creating a new Privacy Framework. HHS has already endorsed the NIST Cybersecurity Framework (CSF) to support the HIPAA Security Rule. The crosswalk from the NIST Privacy Framework to the HIPAA Privacy Rule are already being mapped.
The NIST Privacy Framework will provide a prioritized, flexible, risk-based, outcome-based, and cost-effective approach. It will be compatible with existing legal and regulatory regimes and useful in meeting the compliance requirements of the HIPAA Privacy Rule. Will this new Privacy Framework enable healthcare organizations to address the full scope of privacy risk with more tools to support better implementation of privacy protections?
Aspects of the NIST Cybersecurity Framework (CSF) will provide models for this new Privacy Framework. What are the implications of combining the NIST CSF and NIST Privacy Framework to support compliance for HIPAA’s Security and Privacy Rules with one integrated tool? What are the differences? What does the Office of Civil Rights (OCR) have to say?
In this session, we will discuss:
- What is Privacy Risk?
- How does the Privacy Framework support the HIPAA Privacy Rule?
- How can healthcare organizations of all sizes leverage this new tool?
- What is the model & how are methodologies used?
- What does Risk Mitigation look like?
The HIPAA Security Rule focuses on the objectives of Confidentiality, Integrity and Availability (CIA). The Department of Health and Human Services (DHHS) endorses the newly designed NIST Cybersecurity Framework (CSF), along with the HIPAA Crosswalk. Healthcare organizations utilize the CSF for risk impact assessments about the implementation of business objectives, designing system requirements for cybersecurity of ePHI and testing the effectiveness of an organization’s controls for achieving these objectives.
Ideally, systems that maintain CIA should be able to mitigate security harms; and likewise, systems that focus on the HIPAA Privacy Rule should be able to mitigate privacy harms to individuals in much the same way. To date, the privacy field has lagged behind in the development of a common risk-based Privacy Framework.
NIST is developing a voluntary Privacy Framework to help organizations:
Better identify, assess, manage, and communicate privacy risks foster the development of innovative approaches to protecting individuals’ privacy
Increase trust in products and services.
Have a tool that would assist with enterprise privacy risk management
Process oriented privacy principles (such as the Fair Information Practice Principles (FIPPs)) are an important component of an overall privacy framework, but on their own they have not achieved consistent and measurable results in privacy protection. In the security field, risk management models, along with technical standards and best practices, are key components of improving security. Similarly, the safety risk management field also has well-developed models, technical standards and best practices.
The Privacy Framework incorporates standards, frameworks, models, methodologies, tools, guidelines, and principles organizations are using to identify, assess, manage, and communicate privacy risk at the management, operational, and technical levels. The NIST Privacy Framework also considers how to address the current regulatory or regulatory reporting requirements (e.g., local, state, national, international).
Do you know about the New NIST Privacy Framework?
While the Security of Personally Identifiable Information (PII) plays an important role in the protection of privacy, individual privacy cannot be achieved by solely securing PII. Enabling a system to achieve the business’ mission, Privacy Risk will inevitably arise from authorized processing of PII. HIPAA alone was not enough. The adoption of the NIST Cybersecurity Framework was not enough.
How are you assessing Privacy Risk? Will the Department of Health and Human Services recommend this NIST Privacy Framework as a HIPAA bookend to their current recommendation for the NIST Cybersecurity Framework?
Does your organization need stronger more versatile compliance tools to design and operate the operations necessary to deliver your products and services?
Join our presentation and learn how NIST’s Privacy Framework will address common information privacy challenges in the design, operation, and use of products and services in your organization.
We will reveal the most impactful and challenging attributes of privacy risk-based program and how the NIST Privacy Framework addresses them. Learn how to incorporate privacy risk management standards, guidelines, and best practices, into your healthcare organizations policies and practices.
February 13, 2020
CEU: 1.0 – Information Protection: Access, Disclosure, Archival, Privacy and Security
Karen Greenhalgh, CHC, CHPC, HCISPP
Karen has extensive experience managing HIPAA and NIST-CSF requirements within medical centers and is an ISC2 certified Healthcare Information Security & Privacy Practitioner (HCISPP). Karen has combined this knowledge with her successful entrepreneurial history to establish Cyber Tygr, a corporation focused on providing economical healthcare cybersecurity and privacy solutions. Karen is a member of the 405(d) group, convened by the Department of Health and Human Services with the mandate to align the Health and Public Health Sector’s cybersecurity efforts.