NIST Privacy Framework

The National Institute of Standards and Technology (NIST) has released a discussion draft of its proposed Privacy Framework, which is currently under development. The purpose of this new, voluntary framework is to provide organizations with a tool that can be used to develop and prioritize strategies for effective privacy solutions and protection.

Once finalized, the NIST Privacy Framework is expected to become the gold standard against which privacy compliance is measured, similar to the NIST Cybersecurity Framework’s use as the accepted standard for evaluating an organization’s data security measures.

NIST has embarked on this initiative in parallel with the National Telecommunications and Information Administration (NTIA), which is developing a set of privacy principles that will align with the international policy objectives of the International Trade Administration.

Privacy of all types of data has emerged as a top concern both here and abroad, as evidenced by increased privacy legislation, most notably the General Data Privacy Regulation (GDPR), enacted in May, 2018 by the European Union, and numerous state laws, such as the California Consumer Privacy Act (CCPA), which is scheduled to go into effect in January, 2020.

This increased legislative activity with regards to personally identifiable data (PII) coincides with an increased focus on the use and disclosure of protected health information (PHI). This includes consideration of changes to HIPAA and 42 CFR Part 2 regulations pertaining to the sharing of Substance abuse and mental health treatment, proposed rulemaking by the Office of the National Coordinator (ONC) pertaining to improving healthcare data interoperability, and an RFI issued by the Department of Health and Human Services seeking feedback to modify the HIPAA Privacy Rule.

The last major updates to HIPAA rules occurred in 2013 with implementation of the Omnibus Rule. It remains to be seen which, if any, of the rules and initiatives on the table for 2019 will be implemented.

NIST has set up a website for information on the Privacy Framework. Feedback on the discussion draft may be sent to