to main content Responsible Use of Health Data | The Joint Commission

A Message From Our Chief Innovation Officer

Healthcare as a whole is on the brink of a new era in data collection, reporting and use. Patient data collected by hospitals and other healthcare organizations have intrinsic value in that it can potentially improve outcomes for all patients. The Joint Commission’s Responsible Use of Health Data™ Certification program will help healthcare organizations use data responsibly to improve the safety, quality and equity of care, develop new technologies, and discover new therapies benefiting all patients.
,,As a physician and an expert in the patient experience, I’m well aware of the privacy and security concerns surrounding health data. For patients especially there are a lot of unknowns when it comes to talking about their health data. They may hear about data breaches at their local hospital or health system – or even receive notice that their data has been potentially exposed – and wonder how secure their health data is and whether anything is being done to better protect it and them.,,

James I. Merlino, MD - Chief Innovation Officer - The Joint Commission

How We Can Help

Responsible Use of Health Data Certification is available to accredited and nonaccredited U.S. hospitals and health systems. The certification will provide guidance and recognize healthcare organizations navigating the appropriate sensitivities needed to safely use data for purposes beyond clinical care, known as secondary use of data. Based on principles from Health Evolution Forum's "The Trust Framework for Accelerating Responsible Use of De-identified Data in Algorithm and Product Development," the certification will provide an objective evaluation as to whether an organization is utilizing best practices in its responsible use of health data and demonstrating that protocols are in place regarding transparency, limitations of use and patient engagement.

Certification Standards

The areas covered by standards include:

  • Oversight Structure: Establish a governance structure for the use of de-identified data.
  • Data De-Identification: Comply in accordance with HIPAA.
  • Data Controls: Establish data controls to protect against unauthorized re-identification of data.
  • Limitations on Use: Prohibit the misuse of data.
  • Algorithm Validation: Have processes to manage internally developed algorithms.
  • Patient Transparency: Communicate with key stakeholders about secondary use of de-identified data.

Utilizing Healthcare Data for the Greater Good

Nearly 85% of U.S. hospitals have the capability to export their patient data for reporting and analysis purposes. The goal of using health data is to improve care, including the potential for developing new therapies, treatments and technologies. This vital, valuable information needs to be handled in a consistent way following rigorous processes while also providing confidence that privacy and security are maintained throughout.

Why Security of Patient Data is so Important

The mission of The Joint Commission is to continuously improve healthcare for the public and we support the responsible use of data for the greater good with the imperative that privacy and patient rights are protected.

While the Health Insurance Portability and Accountability Act (HIPAA) provides guidance for de-identifying data, there is no governance to specifically oversee how healthcare data is gathered and transferred to a third party.

Two important stakeholders in the process of data use are the patients, who need to be confident their information remains de-identified, and healthcare organizations, who need to be sure the data they’ve collected is shared with third-party organizations utilizing best practices to protect privacy and patient rights.



This certification provides an assessment on an organization’s commitment to protecting secondary use of deidentified health data through focused policies and procedures. An organization is fully responsible for its own expert analysis and confirmation that it is properly following laws, rules, and regulations related to development of any referenced policies and procedures around data use and transfer.