What is the NIST Privacy Framework?
NIST is the National Institute of Standards and Technology, part of the U.S. Department of Commerce. The NIST Privacy Framework is available to any organization to help it build innovative products and services while also protecting individuals’ privacy through identifying and managing privacy risk.
The framework notes that Internet and IT advances have led to “unprecedented advantages” that are often “fueled by data about individuals.” Those individuals may be unaware of the privacy concerns involved, and businesses and organizations may be unaware of the possible consequences of collecting and using personal data.
By following the Privacy Framework, NIST businesses are able to:
- Build customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole.
- Fulfill current compliance obligations, as well as future-proof products and services to meet obligations in a changing technological and policy environment.
- Facilitate communication about privacy practices with individuals, business partners, assessors, and regulators.
The 39-page framework was published in January 2020 and is positioned as an updated counterpart to NIST’s Framework for Improving Critical Infrastructure Cybersecurity, first published in 2014 and last updated in April 2018.
How can a company take advantage of both the Privacy Framework and the Critical Infrastructure Cybersecurity Framework? That’s where a HIPAA crosswalk comes in.
What is a crosswalk?
A crosswalk is a document that helps connect two different frameworks by mapping sections, subcategories, requirements and recommendations in one framework to the applicable parts of the other.
“Crosswalks that map the provisions of standards, laws, and regulations to Subcategories can help organizations determine which activities or outcomes to prioritize to facilitate compliance,” NIST explains.
NIST hosts a number of crosswalks on its Privacy Framework website. In addition to a cybersecurity crosswalk, there are crosswalks connecting the Privacy Framework to the European General Data Protection Regulation (GDPR), the Certified Information Privacy Manager (CIPM) certification, and the Privacy Information Management System (PIMS) standard.
A crosswalk for HIPAA
The U.S. Department of Health and Human Services, under which the Office of Civil Rights enforces HIPAA, has published a crosswalk between the HIPAA Security Rule and NIST’s Cybersecurity Framework.
“Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs,” the department says. “Although the Security Rule does not require use of the NIST Cybersecurity Framework, and use of the Framework does not guarantee HIPAA compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”
The HIPAA Security Rule crosswalk includes mappings to other commonly used security frameworks as well.
How can I learn more?
For information on our upcoming webinars, click here.