1 / 24

Medical information systems and privacy policy

Medical information systems and privacy policy. John C Mitchell, Stanford University. Outline. Medical privacy problem One part of a larger set of interesting challenges Contextual integrity Philosophical account of privacy, made precise Workflow Modeling hospital process

eileen
Download Presentation

Medical information systems and privacy policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Medical information systemsand privacy policy John C Mitchell, Stanford University

  2. Outline • Medical privacy problem • One part of a larger set of interesting challenges • Contextual integrity • Philosophical account of privacy, made precise • Workflow • Modeling hospital process • Useful on its own; approach to privacy in context • HIPAA formalization • Sample effort to write down complex policy and use this in prototype system

  3. Privacy in Organizational Processes Patient medical bills Patient information Hospital Insurance Company Drug Company Advertising Patient GOAL: Respect privacy expectations in the transfer and use of personal information within and across organizational boundaries

  4. Subproblem: accessing patient health info Doctor Specialist Electronic Health Record Patient Portal HIPAA Compliance Surrogate Patient

  5. Goals • Express policy precisely • Enterprise privacy policies • Privacy provisions from legislation • Analyze, enforce privacy policies • Does action comply with policy? • Does policy enforce the law? • Support audit • Privacy breach may occur. Find out how it happened

  6. Contextual Integrity • Philosophical account of privacy • Transfer of personal information • Describes what people care about • Flow governed by norms • Agents act in roles in social contexts • Information categorized by type • E.g., personal health information, psychiatric records, … • Rejects public/private dichotomy • Principles of transmission • Confidentiality, reciprocity, dessert, etc [Nissenbaum 2004, BarthDMN ‘06]

  7. Privacy Model: “Contextual Integrity” Charlie’s SSN 078-05-1120 Alice Bob • Four identifiers of an action: • Sender • Receiver • Person this is about (subject) • Type of information

  8. Sender role Attribute Subject role Recipient role Transmission principle Gramm-Leach-Bliley Example Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs

  9. One technical slide for fun CI Norms and Policies • Policy consists of norms (+) inrole(p1, r1)  inrole(p2, r2)  inrole(q, r)  tt’     () inrole(p1, r1)  inrole(p2, r2)  inrole(q, r)  tt’     •  is an agent constraint •  is a temporal condition • Norms assembled into policy formula • p1,p2,q:P.m:M.t:T.incontext(p1, c)  send(p1, p2, m)  contains(m, q, t)   { + | +  norms+(c) }   {  |   norms(c) }

  10. MyHealth@Vanderbilt Workflow example Humans + Electronic system Health Answer Appointment Request Secretary Health Question Health Question Doctor Patient Health Question Health Answer Utility: Schedule appointments, obtain health answers Nurse Privacy: HIPAA compliance+

  11. Contextual Integrity Organizational process and compliance Norms Purpose Organizational Objectives Information Policy Utility Checker (ATL*) Privacy Checker (LTL) Organizational Process Design Utility Evaluation Compliance Evaluation

  12. Auditing Business Process Execution Run-time Monitor Audit Logs Audit Algs Privacy Policies Utility Goals Policy Violation + Accountable Agent

  13. Research Prototype

  14. What is the logical structure of HIPAA? • Allow action if • There is a clause that explicitly permits it • And no clause explicitly forbids it • In more detail ... • Action: to, from, about, type, purpose, consents, beliefs • e.g. Dr., lab, patient, PHI, treatment, -, - • Example 164.502 (a) Standard: (1) Permitted uses and disclosures. (ii) For treatment, payment, or health care operations, as permitted by and in compliance with 164.506;

  15. Refinement and Combination • Policy refinement • Basic policy relation • Does hospital policy enforce HIPAA? • P1 refines P2 if P1 P2 • Requires careful handling of attribute inheritance • Combination becomes logical conjunction • Defined in terms of refinement

  16. Policy lifecycle issues • Requirements capture • What should the policy say? • Development • Adapt standard modules; build new ones; combine • Evaluation • Does the policy say what we want? • Analysis Testing Debugging • Compliance • Can the policy be enforced by system? Support audit? • Maintenance • Change as needed as requirements evolve

  17. Compliance Contemplated Action Judgment Policy Future Reqs History • Strong compliance • Future requirements after action can be met • Theorem: decidable in PSPACE • Weak compliance • Present requirements met by action • Theorem: decidable in Polynomial time

  18. Related Languages • Legend:  unsupported o partially supported  full supported • CI fully supports attributes and combination

  19. Conclusions • Framework • Concurrent game model • Logic of Privacy and Utility • Temporal logic (LTL, ATL*) • Business Process as Workflow • Role-based responsibility for human and mechanical agents • Algorithmic Results • Workflow design assuming agents responsible • Privacy, utility decidable (model-checking) • Minimal disclosure workflow constructible • Auditing logs when agents irresponsible • From policy violation to accountable agents • Applications • MyHealth@Vanderbilt patient portal, ... Acknowledgements: CMU, Vanderbilt, TCS

More Related