ABSTRACT
Health care entities publish privacy polices that are aligned with government regulations such as Health Insurance Portability and Accountability Act (HIPPA) and promise to use and disclose health data according to the stated policies. However actual practices may deliberately or unintentionally violate these policies. To ensure enforcement of such policies and ultimately HIPAA compliancy there is a need to develop an enforcement mechanism. In this paper we extend our work on IT-enforceable policies, submitted to the International Journal of Medical Informatics. The submitted work involved a detailed analysis of HIPPA privacy rules to extract object related conditions needed to make a disclosure decision. In this paper we extend this work to propose machine enforceable policies that embody HIPAA privacy disclosure rules and a health care entity access control rules. We also propose a comprehensive access/privacy control architecture that enforces the proposed polices. The architectural model is designed to allow for a dynamic configuration of policies without reconfiguring the architecture responsible for enforcement. Both the proposed policies and the architecture allow for multiple stakeholders to adjust the privacy preferences to manage the disclosure of data by adjusting the designated parameters in their respective policies. The objective of this study is to provide a comprehensive model for privacy protection, access and logging of PHI, that is HIPAA compliant.
- OASIS eXtensible access control markup language (XACML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.Google Scholar
- The health information technology for economic and clinical health act (hitech). http://www.hipaasurvivalguide.com/hipaa-regulations/164-524.php, January 6, 2009.Google Scholar
- R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Hippocratic databases. In Proceedings of the 28th international conference on Very Large Data Bases, pages 143--154, Hong Kong, China, 2002. VLDB Endowment. Google ScholarDigital Library
- F. C. Bourgeois, P. L. Taylor, S. J. Emans, D. J. Nigrin, and K. D. Mandl. Whose personal control? creating private, personally controlled health records for pediatric and adolescent patients. Journal of the American Medical Informatics Association: JAMIA, 15(6):737--743, Dec., 2008. PMID: 18755989.Google ScholarCross Ref
- J. Byun and N. Li. Purpose based access control for privacy protection in relational database systems. The VLDB Journal, 17(4): 603--619, July, 2008. Google ScholarDigital Library
- J.-W. Byun, E. Bertino, and N. Li. Purpose based access control of complex data for privacy protection. In SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies, pages 102--110, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- P. C. Hung. Towards a privacy access control model for e-Healthcare services. In Proceedings of Annual Conference on Privacy, Security and Trust, 2004.Google Scholar
- M. Lutes. Privacy and security compliance in the e-healthcare marketplace. Healthcare Financial Management: Journal of the Healthcare Financial Management Association, 54(3): 48--50, Mar. 2000. PMID: 10847915.Google Scholar
- M. Meingast, T. Roosta, and S. Sastry. Security and privacy issues with health care information technology. In Proceedings of the 8th Annual International Conference of the IEEE Engineering in Medicine and Biology, pages 5453--5458, 2006.Google ScholarCross Ref
- A. R. Miller and C. E. Tucker. Privacy, network eects and electronic medical record technology adoption. In Proceedings of WEIS, 2007.Google Scholar
- G. Neumann and M. Strembeck. A scenario-driven role engineering process for functional RBAC roles. In Proceedings of the seventh ACM symposium on Access control models and technologies, page 42, 2002. Google ScholarDigital Library
- Q. Ni, A. Trombetta, E. Bertino, and J. Lobo. Privacy-aware role based access control. In Proceedings of the 12th ACM symposium on Access control models and technologies, pages 41--50, Sophia Antipolis, France, 2007. ACM. Google ScholarDigital Library
- U. S. D. of Health and H. S. O. P. Brief. Summary of the HIPAA privacy rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html, May, 2003. Summary of the HIPAA Privacy Rule.Google Scholar
- D. Raths. Policy tech trends 2010. trend: privacy. Healthcare Informatics: The Business Magazine for Information and Communication Systems, 27(2): 20, 22--23, Feb. 2010. PMID: 20218064.Google Scholar
- J. Reid, I. Cheong, M. Henricksen, and J. Smit. A novel use of RBAC to protect privacy in distributed health care information systems. In Information Security and Privacy, page 220. Springer Berlin / Heidelberg, 2003. Google ScholarDigital Library
- R. Sandhu, V. Bhamidipati, E. Coyne, S. Ganta, and C. Youman. The ARBAC97 model for role-based administration of roles: preliminary description and outline. In Proceedings of the second ACM workshop on Role-based access control, pages 41--50, Fairfax, Virginia, United States, 1997. ACM. Google ScholarDigital Library
- M. Xu and D. Wijesekera. A role-based XACML administration and delegation profile and its enforcement architecture. In Proceedings of the 2009 ACM workshop on Secure web services, pages 53--60, 2009. Google ScholarDigital Library
- N. Yang, H. Barringer, and N. Zhang. A Purpose-Based access control model. In Information Assurance and Security, 2007. IAS 2007. Third International Symposium on, pages 143--148, 2007. Google ScholarDigital Library
Index Terms
- A comprehensive privacy-aware authorization framework founded on HIPAA privacy rules
Recommendations
Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule
SACMAT '13: Proceedings of the 18th ACM symposium on Access control models and technologiesOrganizations collect personal information from individuals to carry out their business functions. Federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), mandate how this collected information can be shared ...
HIPAA's Effect on Web Site Privacy Policies
Healthcare institutions typically post their privacy practices online as privacy policy documents. A study of nine institutions with Web sites shows that since the introduction of the 1996 Health Information and Portability Accountability Act (HIPAA), ...
Declarative privacy policy: finite models and attribute-based encryption
IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics SymposiumRegulations and policies regarding Electronic Health Information (EHI) are increasingly complex. Federal and State policy makers have called for both education to increase stakeholder understanding of complex policies and improved systems that impose ...
Comments