The Joint Commission Unveils New Data Privacy Certification

The Joint Commission is kicking off a new voluntary certification program for hospitals and critical access hospitals’ responsible use of health data. The effort aims to help address growing privacy concerns over the secondary use of patient data by third parties for artificial intelligence initiatives, algorithms, medical discovery and other activities.

See Also: Post-Transformation: Building a Culture of Security

The U.S. healthcare quality and safety accreditation organization said on Tuesday that its new Responsible Use of Health Data certification, or RUHD, will cover several key areas of secondary data use.

“As more healthcare organizations are leveraging clinical data for secondary purposes, there have been increased calls to assure responsible data stewardship,” said Dr. Jonathan Perlin, president and CEO of The Joint Commission, in a statement.

The commission said the new program can play an important role in validating that hospital policies and procedures are in place to help protect, govern and accountably use secondary data.

“We believe our Responsible Use of Health Data Certification will help healthcare organizations use data responsibly to improve the safety, quality and equity of care; develop new technologies; and discover new therapies benefiting all patients,” Perlin said.

The commission said its RUHD certification is based on principles adopted from the Health Evolution Forum’s Trust Framework for Accelerating Responsible Use of De-identified Data in Algorithm and Product Development, which was unveiled in September.

Principles established within that trust framework “are more pertinent than ever for organizations engaging in cross-sector collaboration to propel a new generation of data-powered solutions as artificial intelligence forges a new frontier of innovation and discovery in healthcare,” said Richard Schwartz, CEO of Health Evolution.

The framework’s principles aim to help healthcare organizations mitigate risk and prioritize privacy when using or transferring patient data to third parties, the commission said.

The Joint Commission’s RUHD certification’s requirements cover several key areas of the Health Evolution Forum’s trust framework, including the data de-identification process, data controls, limitations on use, algorithm validation, patient transparency and oversight structure.

The Department of Health and Human Services has estimated that about 85% of U.S. hospitals have the capability to export their patient data for reporting and analysis purposes, the commission said.

“However, there is no standard approach to use de-identified data nor to validate best use practices,” the commission said. “Organizations working toward standardization may help address the unmonitored handling of secondary health data,” a goal of the group’s new certification offering.

The RUHD certification program provides an assessment on an organization’s commitment to protecting secondary use of de-identified health data through focused policies and procedures, the commission said.

“An organization is fully responsible for its own expert analysis and confirmation that it is properly following laws, rules, and regulations related to development of any referenced policies and procedures around data use and transfer,” the commission said.

The Joint Commission did not immediately respond to Information Security Media Group’s request for additional details about the program and how it will work.

Crucial Issues

Hospitals can begin applying for RUHD certifications on Jan. 1, the commission said.

Regulatory attorney Rachel Rose said whether hospitals seek out this new certification depends on several factors. They potentially include how such certifications are viewed by the hospital’s cybersecurity insurance carrier or if The Joint Commission adds new language about RUHD related to the hospital’s other accreditation programs.

The Joint Commission said its new voluntary certification “will provide direction in navigating the appropriate sensitivities needed to mitigate risk and safely transfer data that healthcare organizations provide to third-party organizations,” Rose said.

“Basically, what this certification addresses should have been included in policies and training for years” at hospitals, she said. “On the flip side, if a hospital gets the certificate and does not implement the suggestions, they may face increased liability.”

Regardless of whether hospitals seek the new RUDH certification, “I do think it is critical to continue to evolve training and policies to incorporate new technologies such as AI,” Rose said.