NIST's Privacy Framework can help orgs find their 'sweet spot'
Photo: ThisIsEngineering/Pexels
In January 2020, the National Institute of Standards and Technology released Version 1.0 of its Privacy Framework: a voluntary tool aimed at helping organizations manage risk arising from their products and services.
Since then, "many multinational organizations have used the framework to create a foundational program that they can then tailor to different jurisdictions within which they operate" said Dylan Gilbert, privacy policy advisor at NIST,
As a voluntary tool, Gilbert says, the framework is intended to help innovators build new products, while still protecting individuals’ privacy.
"This tool is the result of NIST collaboration with a diverse set of stakeholders from around the world representing private industry, the public sector, academia and civil society over a yearlong open and transparent development process," explained Gilbert, who will be presenting at HIMSS21 in a few weeks alongside HITRUST Chief Privacy Officer Nikole Davenport.
Gilbert noted that the Privacy Framework can assist with supporting ethical decision-making in the design of products and services that optimize beneficial uses of data while minimizing adverse consequences.
"This is the benefit of the framework’s flexible, risk-based approach to privacy," he told Healthcare IT News. "Privacy risk assessments can help organizations understand in a given context the values to protect, the methods to employ, and how to balance the implementation of measures to find that 'sweet spot' between maximizing data utility and minimizing problems or harms to individuals."
In addition, Gilbert said, the framework can help with compliance, especially amid a changing policy and technological environment, by identifying outcomes and activities that map to current obligations.
"This helps them establish traceability with their products and services and answer the important question of how they’re meeting their compliance requirements," he said.
Finally, the framework also contains numerous outcomes and activities that organizations can prioritize in order to ensure they're identifying, reflecting and maintaining customer privacy preferences.
"Privacy risk management requires organizations to monitor how changes to laws and regulations, data processing activities, and organizational priorities may affect privacy risks so they may adjust accordingly," he said.
In the year and a half since Version 1.0's release, Gilbert said the agency has heard good feedback about the way implementers have used the framework to identify gaps in their requirements or better integrate their security programs.
"Others have used the Framework simply to facilitate high-level conversations that resulted in an 'aha' moment with leadership about how the organization’s privacy program is organized and where they need to go to meet their goals," he said.
Ultimately, he said, he hopes attendees leave the session with the knowledge that privacy goes beyond compliance alone.
"Healthcare is a great example of a sector that offers numerous current and future benefits to individuals and society thanks to data processing and its associated technologies," he said. "That said, there are very real and important privacy risks associated with health data processing. Laws and regulations often struggle to keep up with the pace of innovation and social norms.
"The Privacy Framework can help organizations go beyond mere compliance, and take a forward-looking privacy risk management approach to reap the benefits of health data, while protecting the privacy of individuals and groups," he continued.
Gilbert and Davenport will explain more during their HIMSS21 session, "The Trust Factor: Privacy Framework Adoption in Healthcare." It's scheduled for Tuesday, August 10, from 2:30 to 3:30 p.m., in Caesars Forum 123.
HIMSS21 Coverage
An inside look at the innovation, education, technology, networking and key events at the HIMSS21 Global Conference & Exhibition in Las Vegas.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.