Healthcare Information Security


ONC Releases PMI Data Security Principles Guide

The Office of the National Coordinator released a guide to help organizations adapt PMI data security principles to their own environment and security challenges.

PMI data security critical aspect for healthcare organizations.

Source: Thinkstock

By Elizabeth Snell

- The recent Precision Medicine Initiative (PMI) Security Principles Implementation Guide hopes to assist organizations adopt a framework where participant data is protected, and systems that underline precision medicine research are secured.

The Office of the National Coordinator (ONC) released the guide along with the Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST).

The guide supports the final PMI Data Security Policy Principles and Framework, and will provide entities with “best practices in security and data management for precision medicine.”

President Barack Obama launched PMI in early 2016 to encourage more personalized treatments and tailored patient care.

“The Data Security Policy Principles provide a broad framework for protecting PMI participants’ data based on the NIST Cybersecurity Framework,” the document explains. “The PMI Data Security Principles Implementation Guide outlines how the Data Security Policy Principles would apply to an example PMI use case.”

It is still important for organizations to review how HIPAA guidelines may apply to their research and PMI data usage, report authors noted. Adhering to the guidance itself does not ensure HIPAA compliance, and entities should still perform their own security risk assessments.

This will “assess the risks to the confidentiality, integrity, and availability to PMI data processed, stored, or transmitted throughout their enterprises,” the report authors pointed out. Organizations should also “implement security controls sufficient to reduce these risks to a reasonable and appropriate level.”

The guide gives a use case example to better explain how healthcare organizations can benefit from PMI without compromising sensitive data. In the example, a research company stores research data in two databases, labeled as an identifiers database (Identifiers DB) and a research database (Research DB).

Additionally, the databases are linked together via software process so that joined queries can be made across both databases.

It is also noted that the research company is neither a HIPAA covered entity nor a business associate, and therefore is not held to HIPAA regulations.

The guide reviews the security risk assessment process and how the organization would perform a security risk assessment, including identifying and threats and calculating risks.

From there, the PMI guide discusses how to address the identified threats. Report authors cover the following areas specifically:

  • Identity management
  • De-identification
  • Encryption
  • Vendor management
  • Physical security
  • Security policy and procedure
  • PMI organizations and the HIPAA rules

Along with the security risk assessment process, the report authors also said there may be other necessary actions to secure PMI data, its systems, and move the process forward.

“Recognizing that not all security risks can be addressed immediately due to time and resource constraints, [the research company CISO] prioritizes the gaps based on risks to the organization and time/resources it will take to address the risk,” the report suggested. “Finally, she develops a three-year project plan to address the gaps and presents it to her executive leadership and board of directors.”

Security risks are not static, report authors stressed. Organizations must regularly update their security risk assessment to account for any environmental and operational changes. Then, the risk assessment should be updated.

The final Security Framework was released in May 2016, to ensure that healthcare organizations of all sizes understand the security expectations that must accompany the PMI.

HHS Secretary Sylvia Burwell and Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco said in a blog post at the time that the program hoped to “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle” through medical research.

“Our greatest asset in PMI is the data that participants contribute, and we want to make sure participants know that their data is protected,” the duo wrote. “The Security Framework we are releasing today builds on the existing PMI Privacy and Trust Principles and ensures we put the security of participants’ information first.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks