Abstract
The complexity of regulations in healthcare, financial services, and other industries makes it difficult for enterprises to design and deploy effective compliance systems. We believe that in some applications, it may be practical to support compliance by using formalized portions of applicable laws to regulate business processes that use information systems. In order to explore this possibility, we use a stratified fragment of Prolog with limited use of negation to formalize a portion of the US Health Insurance Portability and Accountability Act (HIPAA). As part of our study, we also explore the deployment of our formalization in a prototype hospital Web portal messaging system.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An XPath-based preference language for P3P. In: Proceedings of the Twelfth International Conference on World Wide Web, pp. 629–639. ACM Press, New York (2003)
Antón, A.I., Earp, J.B., Reese, A.: Analyzing website privacy requirements using a privacy goal taxonomy. In: Requirements Engineering 2002, pp. 23–31 (2002)
Anton, A.I., Eart, J.B., Vail, M.W., Jain, N., Gheen, C.M., Frink, J.M.: Hipaa’s effect on web site privacy policies. IEEE Security and Privacy 5(1), 45–52 (2007)
Antón, A.I., He, Q., Baumer, D.L.: Inside JetBlue’s privacy policy violations. IEEE Security and Privacy 2(6), 12–18 (2004)
Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: IEEE Symposium on Security and Privacy, pp. 184–198. IEEE Computer Society, Los Alamitos (2006)
Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and utility in business processes. Computer Security Foundations Symposium, IEEE, 279–294 (2007)
Barth, A., Mitchell, J.C.: Enterprise privacy promises and enforcement. In: Workshop on Issues in the Theory of Security, pp. 58–66. ACM Press, New York (2005)
Bell, D.E., La Padula, L.J.: Secure computer systems: Mathematical foundations. Technical Report 2547, MITRE Corporation (1973)
Borrelli, M.A.: Prolog and the law: using expert systems to perform legal analysis in the United Kingdom. Softw. Law J. 3(4), 687–715 (1990)
Crampton, J.: On permissions, inheritance and role hierarchies. In: Proceedings of the 10th ACM Conference on Computer and Communication Security, pp. 85–92. ACM Press, New York (2003)
Cranor, L.F., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The platform for privacy preferences 1.0 (P3P1.0) specification (2002), http://www.w3.org/TR/P3P/
Cuppens-Boulahia, N., Cuppens, F., Haidar, D.A., Debar, H.: Negotiation of prohibition: An approach based on policy rewriting. In: IFIP International Federation for Information Processing, vol. 278, pp. 173–187. Springer, Boston (2008)
Evans-Pughe, C.: The logic of privacy. The Economist 382(8510), 65–66 (2007)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)
Masys, D.: Electronic medical records and secure patient portals as an application domain for team research in ubiquitous secure technologies (2005), http://dbmi.mc.vanderbilt.edu/trust/TRUST_for_patient_portals.pdf
May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In: IEEE Workshop on Computer Security Foundations, pp. 85–97. IEEE Computer Society Press, Los Alamitos (2006)
Ness, R.B.: A year is a terrible thing to waste: early experience with HIPAA. Annals of Epidemiology 15(2), 85–86 (2005)
Nilsson, U., Maluszynski, J.: Logic, Programming and Prolog, 2nd edn. Wiley, Chichester (1995)
Nissenbaum, H.: Privacy as contextual integrity. Washington Law Review 79(1), 119–158 (2004)
OASIS. eXtensible Access Control Markup Language (XACML) 2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Schunter, M., Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language, EPAL 1.1 (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/
Sherman, D.M.: A prolog model of the income tax act of Canada. In: ICAIL 1987: Proceedings of the 1st international conference on Artificial intelligence and law, pp. 127–136 (1987)
Stanford Privacy Group. HIPAA Compliance Checker, http://crypto.stanford.edu/privacy/HIPAA
Stufflebeam, W.H., Antón, A.I., He, Q., Jain, N.: Specifying privacy policies with P3P and EPAL: lessons learned. In: WPES 2004: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pp. 35–35. ACM, New York (2004)
U.S. Department of Health and Human Services. Understanding HIPAA privacy, http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
U.S. Department of Health and Human Services. HIPAA administrative simplification (2006), http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf
Vanderbilt Medical Center. MyHealthAtVanderbilt, https://www.myhealthatvanderbilt.com/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lam, P.E., Mitchell, J.C., Sundaram, S. (2009). A Formalization of HIPAA for a Medical Messaging System. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2009. Lecture Notes in Computer Science, vol 5695. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03748-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-03748-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03747-4
Online ISBN: 978-3-642-03748-1
eBook Packages: Computer ScienceComputer Science (R0)