NIST Privacy Framework:
Protecting Privacy While Promoting
By Karen Starling Greenhalgh, HCISPP, CHC, CHPC
PRIVAC Y IS OF TEN seen as a barrier to electronic health information exchange (HIE). To help address those concerns
and meld core privacy principles with proven oversight and
accountability mechanisms, the National Institute of Standards and Technology (NIST) is scheduled to release the
Privacy Framework: An Enterprise Risk Management Tool
this month. Draft versions are also available for review. 1
Designed with collaboration between NIST, healthcare
industry leaders, and privacy experts, the NIST Privacy
Framework provides healthcare providers with an effective
approach to protecting the privacy of the individual while
implementing complex new interoperability and patient access programs.
Because HIE is a such a high priority, the Centers for Medicare and Medicaid Services (CMS) encouraged implementation of electronic health record (EHR) technology throughout
the US healthcare delivery system by instituting the meaningful use (MU) EHR Incentive Program. 2 While MU was
successful with respect to industry-wide adoption of EHRs,
it opened the door to unexpected security risks. In 2018, CMS
revamped MU by renaming it the Promoting Interoperability (PI) program, emphasizing a broader focus on interoperability and improving patient access to health information. 3
However, the privacy and security issues remain.
Privacy in Healthcare
Individuals’ privacy is of particular importance to healthcare
providers because their patients’ well-being depends upon
their ability to share personal data. Loss of trust could make
a patient hesitant to share critical information or reluctant to
pursue necessary medical care.
There have been numerous attempts to address privacy issues in healthcare that are of interest to health information
management (HIM) professionals. For example, the government defined Fair Information Practice Principles (FIPPs)
as part of the Privacy Act of 1974.4 FIPPs set forth eight key
principles that formed the backbone of privacy law in the
United States and are recognized by healthcare privacy professionals.
In 2008, the Nationwide Privacy and Security Framework for
Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework) was released by the
Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC). 5
The ONC’s Privacy and Security Framework also comprises
eight principles that are derived from FIPPs.
Figure 1 on page 33 exhibits the privacy principles stated in
the FIPPs and ONC’s framework. These are similar and provide a good foundation, but as value statements they are difficult to operationalize.
In 2015 ONC issued the Guide to Privacy and Security of
Electronic Health Information. 6 This guide refers to the importance of privacy and security and offers guidance on implementing the Health Insurance Portability and Accountability
Act (HIPAA) Security Rule, but does not address the Privacy
Rule. Security is necessary to protect the privacy of individuals, but security alone cannot address all privacy issues.
The Privacy and Security Connection
Privacy professionals understand the importance of protecting privacy, but many in the healthcare industry are confused
when differentiating between privacy and cybersecurity. As