Dedicated to providing the latest
HIPAA compliance news

HHS Announces Release of the Final Data Security Policy Principles Framework

Share this article on:

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information.

According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.”

In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR vendors to implement new technology that will allow patients to easily – and securely – send their data to the PMI cohort.

Burwell explained that patient data is the greatest asset in PMI, and that it is essential that patient data are protected and kept secure. The new security framework will help to ensure that all of the appropriate measures are adopted to keep data protected.

The security framework was adapted from the Administration’s Cybersecurity Framework, and builds on the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST).

Burwell explained that the management of data security cannot be dealt with using a “one-size-fits-all” approach. Consequently, a broad framework has been developed that can be adapted to the needs of all participating PMI groups. Participants can use the framework to develop their own implementation guidelines that address the security needs of their organization. “With this flexibility, we can make use of rapid evolutions in medicine, research and technology while still protecting participants’ information,” explained Burwell.

For the PMI to work as planned, transparency is essential. It is important that the public are aware of the efforts being made to ensure their data remain private. Transparency is also needed to ensure that precision medicine organizations can learn from the challenges faced by other organizations and benefit from their experiences.

Organizations will be required to develop a comprehensive risk-based security plan and should use a range of tools and techniques to inform and prioritize decisions regarding the protection of data. Each organization’s security plan should also be subjected to a review by an independent third party to confirm the effectiveness of data security controls.

Data must be protected by physical security and encryption should be used for data at rest and in motion. PMI organizations should also implement technologies that allow them to detect and report anomalies and intrusions, while intelligence and threat information should be shared with other PMI organizations. PMI organizations must also develop a robust incident response and data breach recovery plan and make patients and stakeholders aware of all breaches and security incidents, including when security incidents have been resolved.

In the event of a breach, a full investigation should be conducted and the root cause of the breach analyzed. The information should then be shared with the PMI community to help other PMI organizations improve their security measures to reduce the risk of similar breaches occurring.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On