Title: Formalization of Health Information Portability and Accountability Act (HIPAA)
1Formalization of Health Information Portability
and Accountability Act (HIPAA)
Simon Berring, Navya Rehani, Dina Thomas
2Project Overview
Overview
- HIPAA Overview
- Previous Work
- Verification Tool - SPIN
- Formalization Results
- Conclusions
- Further Work
3What is HIPAA?
Overview
- Timeline
- - 1996 main act is passed
- - 2000 HHS releases privacy rule
- - 2003 In response to criticism, HHS
releases updated privacy rule - Goals
- - Prevent malicious parties from obtaining
protected health information (phi) - - Allow flows of information necessary for
health care - - Allows patients reasonable discretion
4Privacy and Contextual Integrity
Previous Work
- Barth, Datta, Mitchell and Nissenbaum
- Uses typed, first order, linear temporal logic.
- With types ? Agent Message Property
Context - With grammar
- With invariants
- With norms (e.g.)
- inrole(p1, covered-entity) ? inrole(p2,
individual) ? (q p2) ? (t ? phi)
5Privacy APIs
Previous Work
- Gunter, et al
- Defined a formalism for legal privacy rules
auditable privacy systems - Created a language (HRU) that preserved the
subtleties of law and was accessible to
non-experts - Investigated several properties, found one
unexpected ambiguity about patient consent - Converted HRU to Promela and used SPIN
verification
6Verification Tool
- SPIN Simple Promela Interpreter
- Software verifier for parallel, distributed
systems - LTL model checker
SPIN
7Promela
- Promela Protocol/Process Meta Language
- Communication via message channels
(synchronous/asynchronous) - Non deterministic scheduling of processes
- Model consists of
- Type declarations
- Channel declarations
- Variable declarations
- Process declarations
- init process
SPIN
From Theo R. Ruys SPIN BeginnersTutorial, 2002
8Promela
/defines / mtype
one mtype pharmafrnd,frndpharma /gl
obal variables / chan qN 2 of
byte bool pharma_frnd0 /
processes / proctype pharmacist
(chan friendin,friendout) byte
mesg end do friendin?one(mesg)
-gt printf("pharmacist gets mesg frm friend
\n") friendout!one(mesg)
-gt printf("pharmacist sends mesg to friend
\n") break od
SPIN
From Theo R. Ruys SPIN BeginnersTutorial, 2002
9Promela
proctype friend (chan pharmain,pharmaout)
byte mesg end do pharmain?one(mesg) -gt
pharma_frnd1 printf("friends gets mesg frm
pharmacist \n") pharmaout!one(mesg)
-gt printf("friend sends mesg to pharmacist
\n") break od /init
process/ init atomic run
friend(qpharmafrnd,qfrndpharma) run
pharmacist(qfrndpharma,qpharmafrnd) LTL
property ltgt pharma_frnd / does the
pharmacist send a message to the friend /
SPIN
From Theo R. Ruys SPIN BeginnersTutorial, 2002
10Formalization Results
- Properties checked
- A friend cannot find out what medicine you're
taking without your knowledge - Your protected health information won't be
transmitted to a third party who is not covered
by HIPAA privacy rule - A doctor may not disclose a patients record for
TPO after the patient has denied consent. - Approach Check validity of
- ( HIPAA ? Desired Property)
Results
11Formalization Results
- A friend cannot find out what medicine you're
taking without your knowledge. - ( HIPAA ? Desired Property) returns
FALSE - Desired Property
- inrole(p1, pharmacist) ? inrole (q, patient) ?
inrole (p2, friendq) - t ? prescription ? send(p1, p2, t) ? (! send(q,
p1, deny-identification) - S send(q, p1, identify-friend))
- HIPAA Norms
- 164.510(b)(1)
- Positive Norm
- inrole(q, patient) ? inrole(p1, hcp) ? t?phi ?
inrole(p2, familyfriendq) ? send(p1, p2, t)
Results
12Formalization Results
- Positive Norm
- inrole(q, patient) ? inrole(p1, hcp) ? t?phi ?
send(p1, p2, t) ? - (!send(q, p1, deny-identification) S send(q,
p1, identify-friend)) - 164.510(b)(2)
- Negative Norm
- inrole(q, patient) ? inrole(p1, hcp) ? t?phi ?
available-sane- agrees(q) ? send(q, p1,
object-disclosuret) ? ?!send(p1, p2, t) - 164.510(b)(3)
- Positive Norm
- inrole(q, patient) ? inrole(p1, hcp) ? t?phi ?
!available-sane- authorize(q) ?
uses-professional-judgment(p1) ? !send(p1, p2, t)
Results
13Formalization Results
Results
DISCLOSE
14Formalization Results
- Your protected health information won't be
transmitted to a third party who is not covered
by HIPAA privacy rule - ( HIPAA ? Desired Property) returns
FALSE - Desired Property
- inrole(p1, hcp) ? inrole(q, patient) ? t?phi ?
send(p1, p2, t) ? incontext(p2, covered-entity) - HIPAA Norms
- 164.506(c)(1)Positive Norm
- inrole(p1, hcp) ? inrole(p2, hcp) ? t?phi ?
send(p1, p2, t) ? disclosure-for-TPO(p1, t)
Results
15Formalization Results
- 164.506(c)(2) Positive Norm
- inrole(p1, hcp) ? inrole(p2, hcp) ? t?phi ?
send(p1, p2, t) ? disclosure-for-T(p2, t) - 164.506(c)(3) Positive Norm
- inrole(p1, hcp) ? (inrole(p2, hcp) ?
incontext(p2, covered-entity)) ? t?phi ? send(p1,
p2, t) ? disclosure-for-P(p2, t) - 164.506(c)(4) Positive Norm
- inrole(p1, hcp) ? inrole(p2, hcp) ? inrole(q,
patient) ? t?phi ? has-relationship(q, p2) ?
send(p1, p2, t) ? disclosure-for-TPO(p2, t) - 164.506(c)(5) Positive Norm
- inrole(p1, hcp) ? inrole(p2, hcp) ? t?phi ?
send(p1, p2, t) ? incontext(p1, covered-entity) ?
incontext(p2, covered-entity) ?
disclosure-for-O(p2, t)
Results
16Formalization Results
Covered entity
Non-covered entity
Results
17Formalization Results
- A doctor may not disclose a patients record for
TPO after the patient has denied consent - (HIPAA -gt Desired Property) returns FALSE
- Desired Property
- inrole(q, patient) ? inrole(p1, hcp) ? t?phi ?
send(p1, p2, t) ? (!send(q, p1, deny-consent) S
send (q, p1, consent)) - HIPAA Norms
- 164.506(a)(1) Positive Norm
- inrole(q, patient) ? inrole(p1, hcp) ? t?phi ?
(lt-gtsend(p1, q, consent-request) ? ! lt-gtsend(p1,
q, consent-request) ) ? send(p1, p2, t) - 164.506(a)(2) Negative Norm
- inrole(q, patient) ? inrole(p1, hcp) ? t?
authorization-requiring-phi ? !lt-gt send(q,p1,
authorization) ? !send(p1,p2,t)
Results
18Formalization Results
Results
REQ
DENY
TPO
19Conclusions
- HIPAA Specific
- The HIPAA privacy rule is generally comprehensive
and well-specified. - However, the prose law does contain many
ambiguous clauses. - And, in at least 3 ways, HIPAA fails to require
expected protections of health information. - Procedural
- SPIN, despite some troublesome flaws (lack of
past operators, memory constraints), was a good
choice for this analysis. - The methods of Privacy Contextual Integrity
are useful for consistently parsing prose law
into LTL formulae. - 3 is not a crowd ?
Conclusions