The National Institute of Standards and Technology (NIST) has released a request for information for the NIST Privacy Framework: An Enterprise Risk Management Tool (”Privacy Framework”).1The purpose of the privacy framework is to improve management of privacy risk, which is a major gap across healthcare organizations today.

A good privacy risk framework should “factor the extent to which the system and processes are vulnerable to problematic data actions as well as the likelihood of a problematic data action, ”2and adverse events. Moreover, the framework should take into account that organizations work with limited resources. Due to the resource limitation, “an important function of a risk assessment is to prioritize risk to enable determination about the appropriate response. Risk can be managed, but it cannot be eliminated.”3

The NIST recognizes that a good cybersecurity program can help protect ePHI and manage some privacy risks; however, privacy risk also emerges from the ways an organization collects, stores, shares, and uses ePHI.The Privacy Framework is intended to “provide a prioritized, flexible, risk-based, outcome-based, and cost-effective approach that can be compatible with existing legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption.”5

The NIST lists the following as the minimum attributes required for the Privacy Framework to be effective:

  1. Consensus-driven and developed and updated through an open, transparent process.
  2. Common and accessible language.
  3. Adaptable to many different organizations, technologies, lifecycle phases, sectors, and uses.
  4. Risk-based, outcome-based, voluntary, and non-prescriptive.
  5. Readily usable as part of any enterprise’s broader risk management strategy and process.
  6. Compatible with or may be paired with other privacy approaches.
  7. A living document.6

The request for information contains 26 specific requests grouped into the following 3 categories:

  1. Organizational Considerations: What are the greatest challenges in improving the organization’s privacy protections, how the organization assesses privacy risks, what an outcome-based approach would look like, and should the Privacy Framework mandate the use of specific standards, methodologies, tools, guidelines, or principles.7
  2. Structuring the Privacy Framework: Whether aspects of the NIST Cybersecurity Framework could be a model for the Privacy Framework and what organizational structure is preferred for the Framework such as lifecycle, FIPPs, or the NIST privacy engineering objectives.8
  3. Specific Privacy Practices: De-identification; enabling users to have a reliable understanding of how information is being collected, stored, used, and shared; enabling user preferences; setting default privacy configurations; use of cryptographic technology to achieve privacy outcomes; data management, including: tracking permissions, metadata, machine readability, data correction and deletion; and usable design or requirements.9

At Maize, we believe these types of frameworks are extremely important. The request for information regarding the Privacy Framework strongly suggests NIST intends to develop a framework focusing on a risk-based approach that can be widely adopted by organizations regardless of their business objectives or industry.

If you want to get involved: comments regarding the Privacy Framework must be received by December 31, 2018. Written comments may be submitted by mail to:

Kate MacFarland

National Institute of Standards and Technology

100 Bureau Drive, Stop 200

Gaithersburg, MD 20899

Electronic submissions may be sent to, privacyframework@nist.gov, and may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. The request for information can be found here.

Sources:

1 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., Developing a Privacy Framework, 83 F.R. 56824, (Nov. 14, 2018), https://www.federalregister.gov/documents/2018/11/14/2018-24714/developing-a-privacy-framework [hereinafter, NIST, Privacy Framework].

U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., NISTR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems 21-22 (Jan. 2017), https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf [hereinafter NIST, NISTR 8062]

3 NIST, NISTR 8062 at 22.

4 NIST, Privacy Framework at 56824

5 NIST, Privacy Framework at 56824

6 NIST, Privacy Framework at 56825

7 NIST, Privacy Framework at 56826

8 NIST, Privacy Framework at 56826

9 NIST, Privacy Framework at 56826