Abstract
This paper explores the effectiveness of a risk-based approach methodology in constructing systematic standards for privacy-conscious data sharing and disclosure. We consider the HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy Rule as an example and show that the data disclosure methods defined in the HIPAA Privacy Rule are well-constituted, by assessing the privacy risks of each disclosure method. We further explore factors that contribute to the success of the HIPAA Privacy Rule and discuss how we can leverage these factors as a reference for constructing privacy-conscious and systematic data disclosure rules and regulations in other domains.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the HIPAA Security Rule, assessing potential risks concerning the confidentiality, integrity, and availability of health information is defined as a required obligation (45 CFR §164.308(a)(1)(ii)(A)).
References
ISO/IEC 27005:2011: Information technology - Security techniques - Information security risk management. Standard, International Organization for Standardization (ISO) (2011)
Ross, R.S.: Nist sp 800–30 rev. 1: Guide for conducting risk assessments. Technical report (2012). https://dx.doi.org/10.6028/NIST.SP.800-30r1
Open Web Application Security Project (OWASP): Owasp risk rating methodology (2016). https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Garfinkel, S.L.: Nistir 8053: De-identification of personal information. Technical report, October 2015. https://doi.org/10.6028/nist.ir.8053
Commission Nationale de l’Informatique et des Libertés (CNIL): Methodology for Privacy Risk Management, Translation of June 2012 edition (2012)
Information Commissioner’s Office (ICO): Conducting Privacy Impact Assessments Code of Practice (2014)
ISO/IEC 29134:2017: Information technology - Security techniques - Guidelines for privacy impact assessment. Standard, International Organization for Standardization (ISO) (2017)
Information and Privacy Commissioner of Ontario: De-identification Guidelines for Structured Data (2016)
El Emam, K., Arbuckle, L.: Anonymizing Health Data: Case Studies and Methods to Get You Started, 1st edn. O’Reilly Media, Inc. (2013)
Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: 2008 IEEE Symposium on Security and Privacy (sp 2008), pp. 111–125, May 2008
Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 173–187, May 2009
de Montjoye, Y.A., Radaelli, L., Singh, V., Pentland, A.: Unique in the shopping mall: on the reidentifiability of credit card metadata. Science 347(6221), 536–539 (2015)
Douriez, M., Doraiswamy, H., Freire, J., Silva, C.T.: Anonymizing nyc taxi data: Does it matter? In: 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA), pp. 140–148, October 2016
European Commission Article 29 Data Protection Working Party: Opinion 05/2014 on Anonymisation Techniques (2014)
Mendes, R., Vilela, J.P.: Privacy-preserving data mining: methods, metrics, and applications. IEEE Access 5, 10562–10582 (2017)
Elliot, M., Mackey, E., O’Hara, K., Tudor, C.: The Anonymisation Decision Making Framework. UKAN, United Kingdom (2016)
U.S. Department of Health & Human Services, Office for Civil Rights: Health information privacy (2015). https://www.hhs.gov/hipaa/index.html
Chesanow, N.: Is hipaa creating more problems than it’s preventing? (2013). https://www.medscape.com/viewarticle/810648
U.S. Department of Health & Human Services, Office for Civil Rights: Guidance on hipaa & cloud computing (2017). https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
U.S. Department of Health & Human Services, Office for Civil Rights: Guidance regarding methods for de-identification of protected health information in accordance with the health insurance portability and accountability act (hipaa) privacy rule (2015). https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
Benitez, K., Malin, B.: Evaluating re-identification risks with respect to the hipaa privacy rule. J. Am. Med. Inf. Assoc. 17(2), 169–177 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Iguchi, M., Uematsu, T., Fujii, T. (2018). The Anatomy of the HIPAA Privacy Rule: A Risk-Based Approach as a Remedy for Privacy-Preserving Data Sharing. In: Inomata, A., Yasuda, K. (eds) Advances in Information and Computer Security. IWSEC 2018. Lecture Notes in Computer Science(), vol 11049. Springer, Cham. https://doi.org/10.1007/978-3-319-97916-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-97916-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-97915-1
Online ISBN: 978-3-319-97916-8
eBook Packages: Computer ScienceComputer Science (R0)