The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

New Principles for Maintaining Health Information Privacy Outlined

by Chris Brook on Friday September 13, 2019

Contact Us
Free Demo
Chat

There's a fresh new slate of industry privacy guidelines for companies that handle health and wellness data to follow.

The Consumer Technology Association (CTA) has released new guidance for companies that handle consumer health and wellness data. The guidance, which is voluntary, is designed to serve as the basis for healthcare companies when it comes to establishing consumer trust.

In a document, "Guiding Principles for the Privacy of Personal Health and Wellness Information," (.PDF) the CTA outlines five principles that organizations can follow in order to be a good data steward.

CTA is a standards and trade organization that serves the needs of over 2,000 technology companies; it also puts on the annual Consumer Electronics Show (CES) - one of the longest running technology trade shows - in Las Vegas each year.

The five principles are as follows:
1. Be open and transparent about the personal health information you collect and why
2. Be careful about how you use personal health information.
3. Make it easy for consumers to access and control the sharing of their personal health information, and empower them to do so.
4. Build strong security into your technology.
5. Be accountable for your practices and promises.

The nitty gritty of the principles are fairly straight forward. CTA encourages companies to maintain a privacy policy if they haven't already to explain how they collect, use, and share consumer data, and exercise caution around how that data is used. That includes ensuring there are requirements and safeguards in place around who can process that data. Companies can use anonymization or de-identification to mitigate risk, as well.

In light of recently passed - and soon to go into effect - data privacy legislation, CTA is also recommending companies give consumers the ability to access and control how their personal health information is shared, the ability to correct it, if wrong, and grant them the right to deletion, portability, or objection if the law dictates it.

When it comes to safeguarding data, companies should perform regular information security risk assessments to ensure the confidentiality and integrity of data, work in tandem with their IT team to identify and remedy risks, and use encryption to protect it while at rest and in transit.

Lastly, the organization is stressing healthcare companies to appoint a data protection officer or something akin to one, to oversee the security and privacy of personal health information, educate staff on the principles, and if necessary, report security issues and breaches to personal data.

The trade group says that it developed the principles on currently present and developing U.S. law and that its goal is to have it complement, not supplant, legal requirements. The CTA is also leaving the guidance open to interpretation; if a company wants to use it to guide their practices around consumer data that isn't health related, it's available.

Tags: Industry Insights

Recommended Resources


  • Best practices for managing DLP in healthcare
  • Overview of vendors' strengths and weaknesses
  • Top use-cases for DLP in healthcare
  • Top InfoSec concerns for healthcare professionals
  • How to protect sensitive data with DLP
  • Advice from security experts and analysts

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.