Health and Human Services released information on President Obama’s Precision Medicine Initiative and the framework intended to help secure data contributed for this Initiative.

The Precision Medicine Initiative is intended to work like many of the local Health Information Exchanges around the country. The local Health Information Exchanges are used for continuity of care. Local doctors and hospitals who see mutual patients are able to access the patient records from other offices.

The biggest difference on this Initiative is it would be national. This new national Health Information Exchange will be used for health care providers to focus on developing treatments, diagnostics, and possible preventive measures in regards to individual genetic characteristics of each patient.

When this was first announced at the President’s State of the Union Address, there were many questions on how this information will be handled and protected. Currently, there are very strict regulations surrounding genetic information.

The Genetic Information Nondiscrimination Act (GINA) was enacted in 2008 to protect patients from genetic discrimination for health insurance and employment. Genetic information can provide risks for developing certain health conditions in addition to predicting if children may develop certain health conditions.

The President is hoping that citizens will be willing to provide their patient health information to this effort for research purposes. Consequently, talk of securing this data became even more important, resulting in the most recent post from Health and Human Services (HHS).

In the press release, HHS provides the new Data Security Policy Principles and Framework, which is based on the National Institute of Standards and Technology (NIST) Framework. Organizations that wish to participate in the President’s Initiative will need to adapt this new framework. One of the requirements for this new framework is a Risk Assessment. Additional requirements include encryption of the data, vulnerability scans and penetration tests, and incident recovery plans. Many of these requirements are already required by HIPAA.

If you aren’t sure whether or not your current Risk Assessment is comprehensive enough, use HIPAAgps to help you address the important assessment points and discover missing pieces in your current evaluations.