Formalization of Health Information Portability and Accountability Act (HIPAA)
Simon Berring,
Navya Rehani,
Dina Thomas
Overview
PreviousWork
SPIN
Results
Conclusions
Project Overview
• HIPAA Overview
• Previous Work
• Verification Tool - SPIN
• Formalization Results
• Conclusions
• Further Work
Overview
Overview
PreviousWork
SPIN
Results
Conclusions
What is HIPAA?
Timeline- 1996: main act is passed
- 2000: HHS releases privacy rule
- 2003: In response to criticism, HHS releases updated privacy rule
Goals- Prevent malicious parties from obtaining protected health information (phi)
- Allow flows of information necessary for health care
- Allows patients reasonable discretion
Overview
Overview
PreviousWork
SPIN
Results
Conclusions
Privacy and Contextual Integrity• Barth, Datta, Mitchell and Nissenbaum • Uses typed, first order, linear temporal logic.• With types = Agent |Message | Property | Context
• With grammar:
• With invariants:
• With norms (e.g.): inrole(p1, covered-entity) inrole(p2, individual) (q = p2) (t phi)
PreviousWork
Overview
PreviousWork
SPIN
Results
Conclusions
Privacy APIsPrevious
Work • Gunter, et al• Defined a formalism for legal privacy rules
“auditable privacy systems”• Created a language (HRU) that preserved the
subtleties of law and was accessible to non-experts
• Investigated several properties, found one “unexpected ambiguity” about patient consent
• Converted HRU to Promela and used SPIN verification
Overview
PreviousWork
SPIN
Results
Conclusions
Verification Tool
SPIN
• SPIN = Simple Promela Interpreter• Software verifier for parallel, distributed systems• LTL model checker
PromelaModel M
Xspin
LTL Translator
Verifier
Counter Example(Trace)
SPIN
Overview
PreviousWork
SPIN
Results
Conclusions
Promela
SPIN
From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002
• Promela = Protocol/Process Meta Language• Communication via message channels
(synchronous/asynchronous)• Non deterministic scheduling of processes
• Model consists of• Type declarations• Channel declarations• Variable declarations• Process declarations• [ init process ]
Overview
PreviousWork
SPIN
Results
Conclusions
Promela
SPIN
From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002
/*******#defines **************/mtype { one};mtype {pharmafrnd,frndpharma};
/*********global variables *************/chan q[N] = [2] of { byte};bool pharma_frnd=0;
/************** processes ****************/proctype pharmacist (chan friendin,friendout){
byte mesg;end: do ::friendin?one(mesg) ->
printf("pharmacist gets mesg frm friend \n"); ::friendout!one(mesg) ->
printf("pharmacist sends mesg to friend \n"); ::breakod
}
Overview
PreviousWork
SPIN
Results
Conclusions
Promela
SPIN
From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002
proctype friend (chan pharmain,pharmaout){ byte mesg; end: do
::pharmain?one(mesg) -> pharma_frnd=1;printf("friends gets mesg frm pharmacist \n");
::pharmaout!one(mesg) ->printf("friend sends mesg to pharmacist \n");
::breakod
}/************init process**************/init {
atomic{run friend(q[pharmafrnd],q[frndpharma]); run pharmacist(q[frndpharma],q[pharmafrnd])
}}LTL property: <> pharma_frnd /* does the pharmacist send a message to the friend */
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• Properties checked• A friend cannot find out what medicine you're taking
without your knowledge • Your protected health information won't be transmitted to
a third party who is not covered by HIPAA privacy rule • A doctor may not disclose a patient’s record for TPO after
the patient has denied consent.
• Approach: Check validity of ( HIPAA Desired Property)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• A friend cannot find out what medicine you're taking without your knowledge.
( HIPAA Desired Property) returns FALSE
• Desired Propertyinrole(p1, pharmacist) inrole (q, patient) inrole (p2, friend[q]) t prescription send(p1, p2, t) (! send(q, p1, deny-identification)
S send(q, p1, identify-friend)) • HIPAA Norms
• § 164.510(b)(1)
[Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi inrole(p2, familyfriend[q]) send(p1, p2, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
[Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi send(p1, p2, t) (!send(q, p1, deny-identification) S send(q, p1, identify-friend))
• § 164.510(b)(2)
[Negative Norm]
inrole(q, patient) inrole(p1, hcp) tphi available-sane-agrees(q) send(q, p1, object-disclosure[t]) !send(p1, p2, t)
• § 164.510(b)(3)
[Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi !available-sane- authorize(q) uses-professional-judgment(p1) !send(p1, p2, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Results
Formalization Results
DISCLOSE
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• Your protected health information won't be transmitted to a third party who is not covered by HIPAA privacy rule
( HIPAA Desired Property) returns FALSE
• Desired Propertyinrole(p1, hcp) inrole(q, patient) tphi send(p1, p2, t) incontext(p2, covered-entity)
• HIPAA Norms
• § 164.506(c)(1)[Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) tphi send(p1, p2, t) disclosure-for-TPO(p1, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• § 164.506(c)(2) [Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) tphi send(p1, p2, t) disclosure-for-T(p2, t)
• § 164.506(c)(3) [Positive Norm]
inrole(p1, hcp) (inrole(p2, hcp) incontext(p2, covered-entity)) tphi send(p1, p2, t) disclosure-for-P(p2, t)
• § 164.506(c)(4) [Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) inrole(q, patient) tphi has-relationship(q, p2) send(p1, p2, t) disclosure-for-TPO(p2, t)
• § 164.506(c)(5) [Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) tphi send(p1, p2, t) incontext(p1, covered-entity) incontext(p2, covered-entity) disclosure-for-O(p2, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
Covered entity Non-covered entity
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• A doctor may not disclose a patient’s record for TPO after the patient has denied consent
(HIPAA -> Desired Property) returns FALSE
• Desired Propertyinrole(q, patient) inrole(p1, hcp) tphi send(p1, p2, t) (!send(q, p1, deny-consent) S send (q, p1, consent))
• HIPAA Norms
§164.506(a)(1) [Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi (<->send(p1, q, consent-request) ! <->send(p1, q, consent-request) ) send(p1, p2, t)
• §164.506(a)(2) [Negative Norm]
inrole(q, patient) inrole(p1, hcp) t authorization-requiring-phi !<-> send(q,p1, authorization) !send(p1,p2,t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
ResultsREQ
DENY
TPO
Overview
PreviousWork
SPIN
Results
Conclusions
Conclusions
Conclusions
HIPAA Specific:• The HIPAA privacy rule is generally comprehensive and well-
specified.
• However, the prose law does contain many ambiguous clauses.
• And, in at least 3 ways, HIPAA fails to require expected protections of health information.
Procedural:• SPIN, despite some troublesome flaws (lack of past operators,
memory constraints), was a good choice for this analysis.
• The methods of “Privacy & Contextual Integrity” are useful for consistently parsing prose law into LTL formulae.
• 3 is not a crowd
Top Related