Healthcare Information Security

Cybersecurity News

HITRUST Works Toward Stronger Patient Privacy Methods

By Elizabeth Snell

- Stronger patient privacy methods is the top goal behind The Health Information Trust Alliance’s (HITRUST) latest framework process. The HITRUST De-Identification Framework will not only improve patient privacy, but is also designed to “enhance innovation and streamline the appropriate use of healthcare data,” according to a HITRUST statement.

De-identification is a critical aspect of keeping patient information secure, and is also an important aspect of HIPAA. Essentially, identifiers are removed from the health information. This process mitigates individuals’ privacy risks. After this process, data can be used for certain secondary purposes, such as comparative effectiveness studies or policy assessments.

This new framework aligns with the existing HITRUST Common Security Framework, and will assist healthcare organizations through the de-identification process. Specifically, there are three main areas where the De-Identification Framework will assist facilities:

  • Enhance the understanding of de-identification
  • Clarify what qualifies as de-identified data
  • Promote de-identified data usage

“HITRUST believes clearer guidelines in the form of standards for the uses of de-identified data and managing associated risks are needed,” HITRUST CEO Daniel Nutkis said in a statement. “Since the de-identification process needs to take into consideration the environmental safeguards in place housing the de-identified data, the HITRUST CSF was the logical vehicle to align it with.”

According to the Department of Health & Human Services (HHS), the de-identification process is extremely important, and must be comprehensive and accurate.

“Esoteric notation, such as acronyms whose meaning are known to only a select few employees of a covered entity, and incomplete description may lead those overseeing a de-identification procedure to unnecessarily redact information or to fail to redact when necessary,” the HHS website states. “When sufficient documentation is provided, it is straightforward to redact the appropriate fields.”

There are several key components that the new HITRUST framework will focus on. First, the framework will take use cases and define “the multiple levels of anonymization.” From there, HITRUST will recommend specific use cases for each variant, such as end-to-end testing of automated clinical workflows and data mining for clinical research.

The second component will define criteria for evaluating de-identification methodologies, according to the organization. Additionally, the re-identification likelihood will be estimated and the criteria for certifying expertise in these methodologies will also be determined.

Third is the technical controls framework, where standards for mitigating the risks associated with the use, storage and maintenance of a data will take place.

“The controls will create a baseline security framework for de-identified data and will include controls to mitigate re-identification risks,” according to HITRUST.

The final component of the new framework will involve mappings to the HITRUST CSF in relation to the de-identified data.

The new framework is already being met with praise from those in the healthcare industry. IMS Health Global Chief Privacy Officer Kimberly Gray said that the four established components  “create a clear framework for healthcare organizations that can be used to implement and evaluate a de-identification program.”

“Organizations aligning to these guidelines are better able to protect patient privacy,” Gray said. “At the same time, de-identification helps make the healthcare system work better for everyone by paving the way for innovation and increased public health benefits.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks