HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Announces Release of the Final Data Security Policy Principles Framework

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information.

According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.”

In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR vendors to implement new technology that will allow patients to easily – and securely – send their data to the PMI cohort.

Burwell explained that patient data is the greatest asset in PMI, and that it is essential that patient data are protected and kept secure. The new security framework will help to ensure that all of the appropriate measures are adopted to keep data protected.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The security framework was adapted from the Administration’s Cybersecurity Framework, and builds on the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST).

Burwell explained that the management of data security cannot be dealt with using a “one-size-fits-all” approach. Consequently, a broad framework has been developed that can be adapted to the needs of all participating PMI groups. Participants can use the framework to develop their own implementation guidelines that address the security needs of their organization. “With this flexibility, we can make use of rapid evolutions in medicine, research and technology while still protecting participants’ information,” explained Burwell.

For the PMI to work as planned, transparency is essential. It is important that the public are aware of the efforts being made to ensure their data remain private. Transparency is also needed to ensure that precision medicine organizations can learn from the challenges faced by other organizations and benefit from their experiences.

Organizations will be required to develop a comprehensive risk-based security plan and should use a range of tools and techniques to inform and prioritize decisions regarding the protection of data. Each organization’s security plan should also be subjected to a review by an independent third party to confirm the effectiveness of data security controls.

Data must be protected by physical security and encryption should be used for data at rest and in motion. PMI organizations should also implement technologies that allow them to detect and report anomalies and intrusions, while intelligence and threat information should be shared with other PMI organizations. PMI organizations must also develop a robust incident response and data breach recovery plan and make patients and stakeholders aware of all breaches and security incidents, including when security incidents have been resolved.

In the event of a breach, a full investigation should be conducted and the root cause of the breach analyzed. The information should then be shared with the PMI community to help other PMI organizations improve their security measures to reduce the risk of similar breaches occurring.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.