How data privacy frameworks are evolving and how they can guide risk-based decisions
As the landscape of data privacy rules and risks continues to change and evolve, organizations can consider using a privacy framework to help implement, measure, and improve their privacy programs.
The NIST Privacy Framework, modeled after the NIST Cybersecurity Framework, contains basic features and controls that can help an organization identify and manage data privacy risks, regardless of the size of the organization. , jurisdiction or type of data maintained by the organization.
While using a framework does not replace healthcare organizations’ compliance obligations under HIPAA rules, using the NIST Privacy Framework is a good way for organizations to start looking at data. holistically rather than by segments (e.g. health information, employee information, etc.).
“Healthcare organizations face an increasing number of challenges related to protecting data privacy and ensuring certain patient, member and consumer rights,” said Andrew Mahler, Chief Privacy Officer, compliance and managed services at CynergisTek. “We often hear from our clients in the healthcare sector that the patchwork of potentially applicable legislation can be both difficult to follow and to implement successfully.”
Mahler, who will speak on the topic of privacy frameworks at HIMSS22, explained that there has also been increased regulatory enforcement in the health sector regarding the rights of individuals to request access to their data.
“Often a variety of separate offices and individuals have responsibility for responding to individual rights requests, and it can be difficult for organizations to provide effective oversight of these processes,” he said.
“While implementing a framework can be helpful, it can also take time and resources, and organizations may have difficulty reaching consensus on which frameworks to use, or whether to use one at all.”
Compliance, privacy, information security, legal and other stakeholders within an organization will need to carefully consider the types of data it manages, as well as the regulatory mandates and risks posed to data and systems.
Additionally, routine and targeted assessments, audits and reviews can be helpful in managing risk, as long as the organization is up to date with all relevant privacy laws and enforcement activities.
“As data privacy and security threats continue to grow, so does legislation that requires additional protection and response mechanisms,” Mahler said.
“Organizations must prepare for new and unpredictable data privacy risks by understanding the types of data managed, the jurisdictional rules and laws that apply to the data, and enforcement trends.”
Mahler, along with Joseph Dickinson, Partner at Michael Best, will discuss various data privacy frameworks in the session “Data Security and Privacy: How a Privacy Framework Can Help.” It is scheduled for Wednesday, March 16 from 4 p.m. to 5 p.m. in room W311E.