In the age of Big Data, information is being captured across multiple platforms, solutions and industries, creating opportunities for personalization and more. In healthcare, the situation is no different, but the guidelines surrounding how to manage that data are much more stringent. Data management is not just about efficiency; it’s also about compliance.
A recent Health Data Management article outlined the latest in cybersecurity movements for the healthcare industry. HITRUST, a healthcare industry stakeholder coalition, works to improve cybersecurity and developed the De-Identification Framework in an effort to provide standards, guidance and controls. The idea is to provide a better understanding of the process of de-identifying data.
Consistency is key in the management of healthcare data and the De-Identification Framework is designed to map HITRUST’s existing Common Security Framework of best practices in an effort to assess the cybersecurity preparedness of any organization in the field. Therefore, the framework includes use cases that organizations can leverage to define levels of ‘anonymization’, as well as recommended specific use cases for each variant.
The framework also includes defined criteria organizations can use to evaluate de-identification methodologies, as well as estimating re-identification likelihood and certifying expertise within the methodologies. To ensure compliance with existing regulations and risk controls, the framework also provides mapping of de-identified data to the Common Security Framework. It also supports technical control standards for mitigating risks associated with storage, use and maintenance of data.
The HIPAA standard for de-identification of data is a low risk of re-identification. As long as an organization follows the De-Identification Framework, they will be able to determine what data elements need to be removed, who has access to them, how they are used as part of the overall look at risk to the data and where the data is subject to security regulations and privacy stipulations.
As there is considerable confusion as to how to properly drive data management in the healthcare industry and still adhere to all rules and regulations, HITRUST is attempting to get everyone on the same page. The framework is also used in an attempt to ensure the rules are put into terms that all parties can understand and get people to think of the issues in the same way so as to apply the appropriate actions.
Regardless of the industry, data is valuable and must be protected. This demands the appropriate use of data management, especially where regulations apply that could create unreasonable exposure and risk the privacy of an individual. By following a set standard, the organization demonstrates its commitment to protecting its information and those it affects.