HITRUST Tackles Data De-IdentificationWorking Group Will Develop Series of Recommendations
The Health Information Trust Alliance plans to make detailed recommendations for de-identifying patient information and using it for research.
HITRUST is best known for its Common Security Framework, a free guide to implementing security controls to comply with various regulations, including HIPAA. It recently formed a working group that will draft the guidance on de-identifying data, as well as appropriate use and handling of that data to ensure privacy. The recommendations will be released in several phases this year and next.
The initial guidance, to be released in the third quarter, will define multiple levels of de-identification and recommend specific use cases for data in each tier.
"The intent of the HITRUST De-Identification Working Group is to establish a uniform and practical approach to data de-identification that balances the risks and benefits of using the data while taking into account the advancement of healthcare innovation, increased access to healthcare and the protection of individual patient privacy," according to a HITRUST announcement.
The HITRUST initiative comes as federal regulators continue their work on long-overdue guidelines for de-identifying data. The HIPAA privacy rule already includes guidelines for data de-identification, but the HITECH Act requires regulators to issue more detailed guidance.
Working Group Members
Participants in the HITRUST working group include representatives of IMS Health, Merck, Optum and WellPoint, among others.
The group, which is one of a number HITRUST working groups, will make recommendations for minimum qualifications for industry professionals who can certify the standards and the methodologies used to de-identify health data and for properly managing any risk of re-identification. The group also will review and propose changes to relevant HITRUST Common Security Framework controls to help promote the safe and secure handling of de-identified data.