The Joint Commission recently launched a Certification Program that includes a framework for the Responsible Secondary Use of Health Data by U.S. hospitals.  While the Joint Commission’s certification and accreditation programs are voluntary, more than 22,000 organizations, including hospitals, laboratories and other health care organizations are accredited or certified through its programs. The Responsible Secondary Use of Health Data Certification Program framework is based on principles adopted from the Health Evolution Forum’s Trust Framework, which focuses on the de-identification process, data controls, limitations on use, algorithm validation, patient transparency and oversight.  Although the Certification Program is focused on traditional health care organizations such as hospitals, it will certainly have an effect on the third parties to which these organizations disclose de-identified data, including data brokers, advertisers and other service providers. The Certification Program will require health care organizations to audit third parties that receive health data, even if in de-identified form, and put in place restrictions on the re-identification of health data disclosed to these third parties.  These requirements are already required by many comprehensive state privacy laws; however, many of these privacy laws exempt data that has been de-identified consistent with the HIPAA requirements.  As a result, the Framework will likely close the loop on requirements surrounding de-identified health data by requiring oversight such as audits and contractual controls.