Effective January 1, 2024, The Joint Commission announced that it will provide a new certification program, Responsible Use of Health Data, aimed at recognizing hospitals that appropriately utilize data beyond the clinical care setting. The certification will be available for hospitals in the United States.

Notably, the US Department of Health and Human Services (HHS) recently announced a concept paper, Healthcare Sector Cybersecurity. This paper provides an overview of HHS’s cybersecurity strategy within the healthcare realm. The Joint Commission’s new certification and HHS’s concept paper demonstrate the ongoing concerns related to cybersecurity threats and the importance of protecting patient data.

The secondary use of data

Specifically, The Joint Commission’s Certification is aimed at providing standards for the secondary use of health data. Primary use of health data refers to the use of health data related to an individual to provide healthcare to the individual from which the data was collected.

Secondary use of health data, on the other hand, refers to the use of aggregated health data for purposes beyond treatment of the individuals from which it was collected. Typically, the secondary use of health data is meant to improve healthcare, develop medical technology, monitor public health and contribute to research.

Responsible Use of Health Data Certification

In connection with the new Certification, The Joint Commission noted that while “[n]early 85 percent of US hospitals have the capability to export their patient data for reporting and analysis purposes, according to the Office of the National Coordinator for Health Information Technology . . . there is no standard approach to use de-identified data nor to validate best use practices.”

The Certification will assist hospitals and patients in ensuring: (1) there is a clear procedure by which patients are notified of a hospital’s data sharing practices; (2) the data collected is used beyond the clinical setting for “the greater good” to improve healthcare; (3) proper framework to protect patient privacy when patient data is used for secondary purposes; and (4) the decrease of breaches and the promotion of privacy for patients.

According to The Joint Commission, the Responsible Use of Health Care Certification will target the following areas:

  • The de-identification process;
  • Data controls;
  • Limitation on use;
  • Algorithm validation;
  • Patient transparency; and
  • Oversight structure.

The Certification is meant to portray to patients and others that hospitals with the Certification have appropriate policies and procedures to protect patient data in connection with the secondary use of such data.

Hospitals interested in obtaining the Certification may begin preparing now, and The Joint Commission will accept applications starting January 1, 2024. Please do not hesitate to reach out to our team here at Norton Rose Fulbright for assistance with preparing for the Certification or submitting an application.


Chief Integration Partner, Life Sciences and Healthcare, United States
Senior Counsel

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .