Skip to main content
SpringerLink
Log in

A Formalization of HIPAA for a Medical Messaging System

  • Conference paper
Book cover Trust, Privacy and Security in Digital Business (TrustBus 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5695))

Abstract

The complexity of regulations in healthcare, financial services, and other industries makes it difficult for enterprises to design and deploy effective compliance systems. We believe that in some applications, it may be practical to support compliance by using formalized portions of applicable laws to regulate business processes that use information systems. In order to explore this possibility, we use a stratified fragment of Prolog with limited use of negation to formalize a portion of the US Health Insurance Portability and Accountability Act (HIPAA). As part of our study, we also explore the deployment of our formalization in a prototype hospital Web portal messaging system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An XPath-based preference language for P3P. In: Proceedings of the Twelfth International Conference on World Wide Web, pp. 629–639. ACM Press, New York (2003)

    Chapter  Google Scholar 

  2. Antón, A.I., Earp, J.B., Reese, A.: Analyzing website privacy requirements using a privacy goal taxonomy. In: Requirements Engineering 2002, pp. 23–31 (2002)

    Google Scholar 

  3. Anton, A.I., Eart, J.B., Vail, M.W., Jain, N., Gheen, C.M., Frink, J.M.: Hipaa’s effect on web site privacy policies. IEEE Security and Privacy 5(1), 45–52 (2007)

    Article  Google Scholar 

  4. Antón, A.I., He, Q., Baumer, D.L.: Inside JetBlue’s privacy policy violations. IEEE Security and Privacy 2(6), 12–18 (2004)

    Article  Google Scholar 

  5. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: IEEE Symposium on Security and Privacy, pp. 184–198. IEEE Computer Society, Los Alamitos (2006)

    Google Scholar 

  6. Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and utility in business processes. Computer Security Foundations Symposium, IEEE, 279–294 (2007)

    Google Scholar 

  7. Barth, A., Mitchell, J.C.: Enterprise privacy promises and enforcement. In: Workshop on Issues in the Theory of Security, pp. 58–66. ACM Press, New York (2005)

    Google Scholar 

  8. Bell, D.E., La Padula, L.J.: Secure computer systems: Mathematical foundations. Technical Report 2547, MITRE Corporation (1973)

    Google Scholar 

  9. Borrelli, M.A.: Prolog and the law: using expert systems to perform legal analysis in the United Kingdom. Softw. Law J. 3(4), 687–715 (1990)

    Google Scholar 

  10. Crampton, J.: On permissions, inheritance and role hierarchies. In: Proceedings of the 10th ACM Conference on Computer and Communication Security, pp. 85–92. ACM Press, New York (2003)

    Chapter  Google Scholar 

  11. Cranor, L.F., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The platform for privacy preferences 1.0 (P3P1.0) specification (2002), http://www.w3.org/TR/P3P/

  12. Cuppens-Boulahia, N., Cuppens, F., Haidar, D.A., Debar, H.: Negotiation of prohibition: An approach based on policy rewriting. In: IFIP International Federation for Information Processing, vol. 278, pp. 173–187. Springer, Boston (2008)

    Google Scholar 

  13. Evans-Pughe, C.: The logic of privacy. The Economist 382(8510), 65–66 (2007)

    Google Scholar 

  14. Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)

    Article  MATH  Google Scholar 

  15. Masys, D.: Electronic medical records and secure patient portals as an application domain for team research in ubiquitous secure technologies (2005), http://dbmi.mc.vanderbilt.edu/trust/TRUST_for_patient_portals.pdf

  16. May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In: IEEE Workshop on Computer Security Foundations, pp. 85–97. IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  17. Ness, R.B.: A year is a terrible thing to waste: early experience with HIPAA. Annals of Epidemiology 15(2), 85–86 (2005)

    Article  Google Scholar 

  18. Nilsson, U., Maluszynski, J.: Logic, Programming and Prolog, 2nd edn. Wiley, Chichester (1995)

    MATH  Google Scholar 

  19. Nissenbaum, H.: Privacy as contextual integrity. Washington Law Review 79(1), 119–158 (2004)

    Google Scholar 

  20. OASIS. eXtensible Access Control Markup Language (XACML) 2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

  21. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  22. Schunter, M., Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language, EPAL 1.1 (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/

  23. Sherman, D.M.: A prolog model of the income tax act of Canada. In: ICAIL 1987: Proceedings of the 1st international conference on Artificial intelligence and law, pp. 127–136 (1987)

    Google Scholar 

  24. Stanford Privacy Group. HIPAA Compliance Checker, http://crypto.stanford.edu/privacy/HIPAA

  25. Stufflebeam, W.H., Antón, A.I., He, Q., Jain, N.: Specifying privacy policies with P3P and EPAL: lessons learned. In: WPES 2004: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pp. 35–35. ACM, New York (2004)

    Google Scholar 

  26. U.S. Department of Health and Human Services. Understanding HIPAA privacy, http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

  27. U.S. Department of Health and Human Services. HIPAA administrative simplification (2006), http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf

  28. Vanderbilt Medical Center. MyHealthAtVanderbilt, https://www.myhealthatvanderbilt.com/

Download references

Author information

Authors and Affiliations

  1. Stanford University, Stanford, CA

    Peifung E. Lam, John C. Mitchell & Sharada Sundaram

  2. Tata Research Development and Design, Pune, India

    Sharada Sundaram

Authors
  1. Peifung E. Lam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John C. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sharada Sundaram
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Karlstad University, Universitetsgatan 2, 651 88, Karlstad, Sweden

    Simone Fischer-Hübner

  2. Laboratory of Information and Communication Systems Security, Department of Information and Communication Systems Engineering, University of the Aegean, 83200, Karlovassi, Samos, Greece

    Costas Lambrinoudakis

  3. Department of Management Information Systems, University of Regensburg, Universitätsstraße 31, 93053, Regensburg, Germany

    Günther Pernul

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lam, P.E., Mitchell, J.C., Sundaram, S. (2009). A Formalization of HIPAA for a Medical Messaging System. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2009. Lecture Notes in Computer Science, vol 5695. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03748-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03748-1_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03747-4

  • Online ISBN: 978-3-642-03748-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation