1 / 19

Formalization of Health Information Portability and Accountability Act (HIPAA)

Formalization of Health Information Portability and Accountability Act (HIPAA). Simon Berring, Navya Rehani, Dina Thomas. Overview. Previous Work. SPIN. Results. Conclusions. Project Overview. Overview. HIPAA Overview Previous Work Verification Tool - SPIN Formalization Results

pete
Télécharger la présentation

Formalization of Health Information Portability and Accountability Act (HIPAA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas

  2. Overview Previous Work SPIN Results Conclusions Project Overview Overview • HIPAA Overview • Previous Work • Verification Tool - SPIN • Formalization Results • Conclusions • Further Work

  3. Overview Previous Work SPIN Results Conclusions What is HIPAA? Overview Timeline - 1996: main act is passed - 2000: HHS releases privacy rule - 2003: In response to criticism, HHS releases updated privacy rule Goals - Prevent malicious parties from obtaining protected health information (phi) - Allow flows of information necessary for health care - Allows patients reasonable discretion

  4. Overview Previous Work SPIN Results Conclusions Privacy and Contextual Integrity Previous Work • Barth, Datta, Mitchell and Nissenbaum • Uses typed, first order, linear temporal logic. • With types  = Agent |Message | Property | Context • With grammar: • With invariants: • With norms (e.g.): inrole(p1, covered-entity)  inrole(p2, individual)  (q = p2)  (t  phi)

  5. Overview Previous Work SPIN Results Conclusions Privacy APIs Previous Work • Gunter, et al • Defined a formalism for legal privacy rules “auditable privacy systems” • Created a language (HRU) that preserved the subtleties of law and was accessible to non-experts • Investigated several properties, found one “unexpected ambiguity” about patient consent • Converted HRU to Promela and used SPIN verification

  6. Overview Previous Work SPIN Results SPIN  LTL Translator Conclusions Promela Model M Verifier Xspin Counter Example (Trace) Verification Tool • SPIN = Simple Promela Interpreter • Software verifier for parallel, distributed systems • LTL model checker SPIN

  7. Overview Previous Work SPIN Results Conclusions Promela • Promela = Protocol/Process Meta Language • Communication via message channels (synchronous/asynchronous) • Non deterministic scheduling of processes • Model consists of • Type declarations • Channel declarations • Variable declarations • Process declarations • [ init process ] SPIN From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002

  8. Overview Previous Work SPIN Results Conclusions Promela /*******#defines **************/ mtype { one}; mtype {pharmafrnd,frndpharma}; /*********global variables *************/ chan q[N] = [2] of { byte}; bool pharma_frnd=0; /************** processes ****************/ proctype pharmacist (chan friendin,friendout){ byte mesg; end: do ::friendin?one(mesg) -> printf("pharmacist gets mesg frm friend \n"); ::friendout!one(mesg) -> printf("pharmacist sends mesg to friend \n"); ::break od } SPIN From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002

  9. Overview Previous Work SPIN Results Conclusions Promela proctype friend (chan pharmain,pharmaout){ byte mesg; end: do ::pharmain?one(mesg) -> pharma_frnd=1; printf("friends gets mesg frm pharmacist \n"); ::pharmaout!one(mesg) -> printf("friend sends mesg to pharmacist \n"); ::break od } /************init process**************/ init { atomic{ run friend(q[pharmafrnd],q[frndpharma]); run pharmacist(q[frndpharma],q[pharmafrnd]) } } LTL property: <> pharma_frnd /* does the pharmacist send a message to the friend */ SPIN From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002

  10. Overview Previous Work SPIN Results Conclusions Formalization Results • Properties checked • A friend cannot find out what medicine you're taking without your knowledge • Your protected health information won't be transmitted to a third party who is not covered by HIPAA privacy rule • A doctor may not disclose a patient’s record for TPO after the patient has denied consent. • Approach: Check validity of ( HIPAA  Desired Property) Results

  11. Overview Previous Work SPIN Results Conclusions Formalization Results • A friend cannot find out what medicine you're taking without your knowledge. ( HIPAA  Desired Property) returns FALSE • Desired Property inrole(p1, pharmacist)  inrole (q, patient)  inrole (p2, friend[q]) • t  prescription  send(p1, p2, t)  (! send(q, p1, deny-identification) S send(q, p1, identify-friend)) • HIPAA Norms • § 164.510(b)(1) [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  tphi  inrole(p2, familyfriend[q])  send(p1, p2, t) Results

  12. Overview Previous Work SPIN Results Conclusions Formalization Results [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  tphi  send(p1, p2, t)  (!send(q, p1, deny-identification) S send(q, p1, identify-friend)) • § 164.510(b)(2) [Negative Norm] inrole(q, patient)  inrole(p1, hcp)  tphi  available-sane- agrees(q)  send(q, p1, object-disclosure[t]) !send(p1, p2, t) • § 164.510(b)(3) [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  tphi  !available-sane- authorize(q)  uses-professional-judgment(p1)  !send(p1, p2, t) Results

  13. Overview Previous Work SPIN Results Conclusions Formalization Results Results DISCLOSE

  14. Overview Previous Work SPIN Results Conclusions Formalization Results • Your protected health information won't be transmitted to a third party who is not covered by HIPAA privacy rule ( HIPAA  Desired Property) returns FALSE • Desired Property inrole(p1, hcp)  inrole(q, patient)  tphi  send(p1, p2, t)  incontext(p2, covered-entity) • HIPAA Norms • § 164.506(c)(1)[Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  tphi  send(p1, p2, t)  disclosure-for-TPO(p1, t) Results

  15. Overview Previous Work SPIN Results Conclusions Formalization Results • § 164.506(c)(2) [Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  tphi  send(p1, p2, t)  disclosure-for-T(p2, t) • § 164.506(c)(3) [Positive Norm] inrole(p1, hcp)  (inrole(p2, hcp)  incontext(p2, covered-entity))  tphi  send(p1, p2, t)  disclosure-for-P(p2, t) • § 164.506(c)(4) [Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  inrole(q, patient)  tphi  has-relationship(q, p2)  send(p1, p2, t)  disclosure-for-TPO(p2, t) • § 164.506(c)(5) [Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  tphi  send(p1, p2, t)  incontext(p1, covered-entity)  incontext(p2, covered-entity)  disclosure-for-O(p2, t) Results

  16. Overview Previous Work SPIN Results Conclusions Formalization Results Covered entity Non-covered entity Results

  17. Overview Previous Work SPIN Results Conclusions Formalization Results • A doctor may not disclose a patient’s record for TPO after the patient has denied consent (HIPAA -> Desired Property) returns FALSE • Desired Property inrole(q, patient)  inrole(p1, hcp)  tphi  send(p1, p2, t)  (!send(q, p1, deny-consent) S send (q, p1, consent)) • HIPAA Norms §164.506(a)(1) [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  tphi  (<->send(p1, q, consent-request)  ! <->send(p1, q, consent-request) )  send(p1, p2, t) • §164.506(a)(2) [Negative Norm] inrole(q, patient)  inrole(p1, hcp)  t authorization-requiring-phi  !<-> send(q,p1, authorization)  !send(p1,p2,t) Results

  18. Overview Previous Work SPIN Results Conclusions Formalization Results Results REQ DENY TPO

  19. Overview Previous Work SPIN Results Conclusions Conclusions HIPAA Specific: • The HIPAA privacy rule is generally comprehensive and well-specified. • However, the prose law does contain many ambiguous clauses. • And, in at least 3 ways, HIPAA fails to require expected protections of health information. Procedural: • SPIN, despite some troublesome flaws (lack of past operators, memory constraints), was a good choice for this analysis. • The methods of “Privacy & Contextual Integrity” are useful for consistently parsing prose law into LTL formulae. • 3 is not a crowd  Conclusions

More Related