June 22, 2021//Dan FabbriLast Updated: June 25, 2021
The National Institute of Standards and Technology (NIST) has released a request for information for the NIST Privacy Framework: An Enterprise Risk Management Tool (”Privacy Framework”).1The purpose of the privacy framework is to improve management of privacy risk, which is a major gap across healthcare organizations today.
A good privacy risk framework should “factor the extent to which the system and processes are vulnerable to problematic data actions as well as the likelihood of a problematic data action, ”2and adverse events. Moreover, the framework should take into account that organizations work with limited resources. Due to the resource limitation, “an important function of a risk assessment is to prioritize risk to enable determination about the appropriate response. Risk can be managed, but it cannot be eliminated.”3
The NIST recognizes that a good cybersecurity program can help protect ePHI and manage some privacy risks; however, privacy risk also emerges from the ways an organization collects, stores, shares, and uses ePHI.4 The Privacy Framework is intended to “provide a prioritized, flexible, risk-based, outcome-based, and cost-effective approach that can be compatible with existing legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption.”5
The NIST lists the following as the minimum attributes required for the Privacy Framework to be effective:
The request for information contains 26 specific requests grouped into the following 3 categories:
At Maize, we believe these types of frameworks are extremely important. The request for information regarding the Privacy Framework strongly suggests NIST intends to develop a framework focusing on a risk-based approach that can be widely adopted by organizations regardless of their business objectives or industry.
If you want to get involved: comments regarding the Privacy Framework must be received by December 31, 2018. Written comments may be submitted by mail to:
National Institute of Standards and Technology
100 Bureau Drive, Stop 200
Gaithersburg, MD 20899
Electronic submissions may be sent to, email@example.com, and may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. The request for information can be found here.
1 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., Developing a Privacy Framework, 83 F.R. 56824, (Nov. 14, 2018), https://www.federalregister.gov/documents/2018/11/14/2018-24714/developing-a-privacy-framework .
2 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., NISTR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems 21-22 (Jan. 2017), https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
3 NIST, NISTR 8062 at 22.
4 NIST, Privacy Framework at 56824
5 NIST, Privacy Framework at 56824
6 NIST, Privacy Framework at 56825
7 NIST, Privacy Framework at 56826
8 NIST, Privacy Framework at 56826
9 NIST, Privacy Framework at 56826