skip to main content
10.1145/1882992.1883093acmotherconferencesArticle/Chapter ViewAbstractPublication PagesihiConference Proceedingsconference-collections
poster

A comprehensive privacy-aware authorization framework founded on HIPAA privacy rules

Published: 11 November 2010 Publication History

Abstract

Health care entities publish privacy polices that are aligned with government regulations such as Health Insurance Portability and Accountability Act (HIPPA) and promise to use and disclose health data according to the stated policies. However actual practices may deliberately or unintentionally violate these policies. To ensure enforcement of such policies and ultimately HIPAA compliancy there is a need to develop an enforcement mechanism. In this paper we extend our work on IT-enforceable policies, submitted to the International Journal of Medical Informatics. The submitted work involved a detailed analysis of HIPPA privacy rules to extract object related conditions needed to make a disclosure decision. In this paper we extend this work to propose machine enforceable policies that embody HIPAA privacy disclosure rules and a health care entity access control rules. We also propose a comprehensive access/privacy control architecture that enforces the proposed polices. The architectural model is designed to allow for a dynamic configuration of policies without reconfiguring the architecture responsible for enforcement. Both the proposed policies and the architecture allow for multiple stakeholders to adjust the privacy preferences to manage the disclosure of data by adjusting the designated parameters in their respective policies. The objective of this study is to provide a comprehensive model for privacy protection, access and logging of PHI, that is HIPAA compliant.

References

[1]
OASIS eXtensible access control markup language (XACML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
[2]
The health information technology for economic and clinical health act (hitech). http://www.hipaasurvivalguide.com/hipaa-regulations/164-524.php, January 6, 2009.
[3]
R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Hippocratic databases. In Proceedings of the 28th international conference on Very Large Data Bases, pages 143--154, Hong Kong, China, 2002. VLDB Endowment.
[4]
F. C. Bourgeois, P. L. Taylor, S. J. Emans, D. J. Nigrin, and K. D. Mandl. Whose personal control? creating private, personally controlled health records for pediatric and adolescent patients. Journal of the American Medical Informatics Association: JAMIA, 15(6):737--743, Dec., 2008. 18755989.
[5]
J. Byun and N. Li. Purpose based access control for privacy protection in relational database systems. The VLDB Journal, 17(4): 603--619, July, 2008.
[6]
J.-W. Byun, E. Bertino, and N. Li. Purpose based access control of complex data for privacy protection. In SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies, pages 102--110, New York, NY, USA, 2005. ACM.
[7]
P. C. Hung. Towards a privacy access control model for e-Healthcare services. In Proceedings of Annual Conference on Privacy, Security and Trust, 2004.
[8]
M. Lutes. Privacy and security compliance in the e-healthcare marketplace. Healthcare Financial Management: Journal of the Healthcare Financial Management Association, 54(3): 48--50, Mar. 2000. 10847915.
[9]
M. Meingast, T. Roosta, and S. Sastry. Security and privacy issues with health care information technology. In Proceedings of the 8th Annual International Conference of the IEEE Engineering in Medicine and Biology, pages 5453--5458, 2006.
[10]
A. R. Miller and C. E. Tucker. Privacy, network eects and electronic medical record technology adoption. In Proceedings of WEIS, 2007.
[11]
G. Neumann and M. Strembeck. A scenario-driven role engineering process for functional RBAC roles. In Proceedings of the seventh ACM symposium on Access control models and technologies, page 42, 2002.
[12]
Q. Ni, A. Trombetta, E. Bertino, and J. Lobo. Privacy-aware role based access control. In Proceedings of the 12th ACM symposium on Access control models and technologies, pages 41--50, Sophia Antipolis, France, 2007. ACM.
[13]
U. S. D. of Health and H. S. O. P. Brief. Summary of the HIPAA privacy rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html, May, 2003. Summary of the HIPAA Privacy Rule.
[14]
D. Raths. Policy tech trends 2010. trend: privacy. Healthcare Informatics: The Business Magazine for Information and Communication Systems, 27(2): 20, 22--23, Feb. 2010. 20218064.
[15]
J. Reid, I. Cheong, M. Henricksen, and J. Smit. A novel use of RBAC to protect privacy in distributed health care information systems. In Information Security and Privacy, page 220. Springer Berlin / Heidelberg, 2003.
[16]
R. Sandhu, V. Bhamidipati, E. Coyne, S. Ganta, and C. Youman. The ARBAC97 model for role-based administration of roles: preliminary description and outline. In Proceedings of the second ACM workshop on Role-based access control, pages 41--50, Fairfax, Virginia, United States, 1997. ACM.
[17]
M. Xu and D. Wijesekera. A role-based XACML administration and delegation profile and its enforcement architecture. In Proceedings of the 2009 ACM workshop on Secure web services, pages 53--60, 2009.
[18]
N. Yang, H. Barringer, and N. Zhang. A Purpose-Based access control model. In Information Assurance and Security, 2007. IAS 2007. Third International Symposium on, pages 143--148, 2007.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
IHI '10: Proceedings of the 1st ACM International Health Informatics Symposium
November 2010
886 pages
ISBN:9781450300308
DOI:10.1145/1882992
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. access control
  2. ehr
  3. hipaa
  4. itepp
  5. phi
  6. privacy policy

Qualifiers

  • Poster

Conference

IHI '10
IHI '10: ACM International Health Informatics Symposium
November 11 - 12, 2010
Virginia, Arlington, USA

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2020)Informed Consent in HealthcareData Analytics in Medicine10.4018/978-1-7998-1204-3.ch061(1222-1253)Online publication date: 2020
  • (2020)N-Sanitization: A semantic privacy-preserving framework for unstructured medical datasetsComputer Communications10.1016/j.comcom.2020.07.032Online publication date: Jul-2020
  • (2017)Informed Consent in HealthcareDesign, Development, and Integration of Reliable Electronic Healthcare Platforms10.4018/978-1-5225-1724-5.ch013(211-242)Online publication date: 2017
  • (2017)Research issues for privacy and security of electronic health servicesFuture Generation Computer Systems10.1016/j.future.2016.08.01168(1-13)Online publication date: Mar-2017
  • (2017)Transparent Medical Data SystemsJournal of Medical Systems10.1007/s10916-016-0653-841:1(1-12)Online publication date: 1-Jan-2017
  • (2016)Patient-Centred Transparency Requirements for Medical Data Sharing SystemsNew Advances in Information Systems and Technologies10.1007/978-3-319-31232-3_102(1073-1083)Online publication date: 2-Mar-2016
  • (2014)Quantifying the costs and benefits of privacy-preserving health data publishingJournal of Biomedical Informatics10.1016/j.jbi.2014.04.01250(107-121)Online publication date: Aug-2014
  • (2014)Evaluation of an Enhanced Role-Based Access Control model to manage information access in collaborative processes for a statewide clinical education programJournal of Biomedical Informatics10.1016/j.jbi.2013.11.00750(184-195)Online publication date: Aug-2014
  • (2013)Consistency checking in privacy-aware access controlProceedings of the 51st annual ACM Southeast Conference10.1145/2498328.2500080(1-6)Online publication date: 4-Apr-2013

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media