HITRUST offers de-identification framework

The Health Information Trust Alliance (HITRUST) has released its HITRUST De-Identification Framework, developed to improve patient privacy, enhance innovation and streamline the appropriate use of healthcare data.

The framework meets the need of healthcare organizations for greater guidance and consistency in the de-identification and use of de-identified healthcare data, while simplifying and streamlining the process. De-identification is a key method for protecting privacy by preventing a patient’s identity from being connected with health information and is a core component of the HIPAA Privacy Rule.

The HITRUST De-Identification Framework is fully aligned and mapped to the HITRUST CSF, the most comprehensive and widely adopted information security and privacy framework for the healthcare industry, according to an announcement from HITRUST. The CSF is used by hospitals, health plans and other healthcare organizations as a certifiable, scalable and efficient approach to regulatory compliance and risk management. The CSF is in its seventh major release.

Currently, many healthcare organizations remain uncertain about the de-identification process and the use of de-identified data. The new HITRUST De-Identification Framework aims to clear up confusion about the de-identification and use of de-identified data and offer standards and controls.

“HITRUST believes clearer guidelines in the form of standards for the uses of de-identified data and managing associated risks are needed,” said Daniel Nutkis, CEO, HITRUST. He added, “Since the de-identification process needs to take into consideration the environmental safeguards in place housing the de-identified data, the HITRUST CSF was the logical vehicle to align it with.”  

In addition to the new framework, HITRUST is providing resources, such as methodologies and white papers, for organizations to develop and assess their programs, as well as subject matter experts on topics such as the risks of re-identification.

The HITRUST De-Identification Framework includes the following key components:

• Use Cases: Defines the multiple levels of anonymization and recommends specific use cases for each variant, such as end-to-end testing of automated clinical workflows and data mining for clinical research.
• Criteria: Defines criteria for evaluating de-identification methodologies, estimating re-identification likelihood and criteria for certifying expertise in these methodologies.
• Technical Controls Framework: Standards for mitigating the risks associated with the use, storage and maintenance of a data. The controls will create a baseline security framework for de-identified data and will include controls to mitigate re-identification risks.
• HITRUST CSF Mappings: Mappings to the HITRUST CSF as it relates to de-identified data.

“With this comprehensive De-ID framework tied to the CSF, we can increase the adoption of best practices for de-identification, and allow more responsible protection and sharing of health information,” said Khaled El Emam, CEO, Privacy Analytics. “The framework is based on methods that are currently used in the field and have been shown to be robust and ensure high data quality.”

“De-identification is an increasingly important and challenging element in the evolution of healthcare, in the United States and globally. Because of the important societal benefits of appropriate de-identification, the HITRUST effort is an essential step forward in building an effective and consistent framework for these practices,” said Kirk Nahra, ESQ, Partner, Wiley Rein LLP.