180 likes | 340 Views
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT. HIPAA. HIPAA of 1996. Medical Privacy - National Standards to Protect the Privacy of Personal Health Information. Regulation Text: 45 CFR Parts 160, 162, and 164 [ PDF 769KB] (Unofficial version, as amended through February 16, 2006).
E N D
HIPAA of 1996 Medical Privacy - National Standards to Protect the Privacy of Personal Health Information Regulation Text: 45 CFR Parts 160, 162, and 164 [PDF 769KB] (Unofficial version, as amended through February 16, 2006) • 164.502 Uses and disclosure of protected health information. • 164.506 Uses and disclosure to carry out treatment, payment or health care operations.
Business Associates Relatives Parents Health Records Minors Patient Prolog Policy Verifier Public Release Covered Entity Doctor Patient Nurse HIPAA Covered Entity Personal Health Information
HIPAA translation HIPAA LAW: 164.502.a.1 (ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; PROLOG TRANSLATION: permitted_by_164_502_a_1_ii(A):- satisfy_164_502_a_1_ii(A), permitted_by_164_506(A). satisfy_164_502_a_1_ii(A):- has_purpose(A, healthcare); has_purpose(A, payment); has_purpose(A, treatment).
Hospital Facts Covered Entities PROLOG TRANSLATION: inRole(shh, covered_entity). inRole(jd, intern). inRole(carla, nurse). inRole(j, janitor). %TRANSITIVE CLOSURES: inRole(intern, doctor). inRole(doctor, covered_entity). %RELATION: employee_of(jd, shh). parent_of(kid, cox). business_associate(seattle_grace, shh). Business Associate Employees Lawyer Janitor Nurse Intern
Model • All queries to prolog program consist of a message that is passed between entities. • a(to, from, about, type, purpose, in Reply to, consented by) What medication to give lukemia kid? Nurse Intern pbh(a(jd, carla, kid, phi, treatment, _, _)).
Assumptions • Everything can be represented as messages. • All fields are accurate. • Ideal world with authenticated / authorized identities. • All information is passed through the system. • Few parts like the ‘doctor believes in good judgement’ could not be coded. • The results and conclusions are based on the amount of HIPAA we interpreted and coded.
Properties • Can unauthorized insider get phi? • Can outsider get phi? Tests • Verification of implementation. Runs individual test cases. • Exhaustive search • Law cases: Very elaborate to code. Simple ones were satisfied by HIPAA.
1. Insider gaining PHI • § 164.506 Uses and disclosures to carry out treatment, payment, or health care operations. • (c) Implementation specifications: Treatment, payment, or health care operations. • (1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. PHI Don’t go in that room as patient has SARS Nurse Covered Entity
2. Outsider gaining PHI • § 164.502 Uses and disclosures of protected health information: general rules. • (a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. • (2) Required disclosures. A covered entity is required to disclose protected health information: • (ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subpart. Entire database of personal health info For compliance verification doctor Secretary Covered Entity
3. Insider then Outsider doctor Freelance journalist Covered Entity In the Past Present
Potential Shortcomings • There are many such outside agents who could gain legitimate access to PHI and are not regulated by HIPAA after they gain access. • HIPAA does not regulate information once it leaves their definition of covered entity. • DISCLAIMER: All these shortcomings are based on what we looked at. Might be they are not there at all.
DOS Attack!! • To say that a predicate is NOT permitted the prolog checker need to verify it with all the given clauses. • Easy to implement a DOS attack on our implementation.
Rational reconstruction • Law itself is well structured • The purpose and relation of clauses are explicit • Past • can send a message if it was consented to in the past by the patient. • Present • Can send PHI to other covered entities for health care operations. • Future • If the individual has requested for his PHI the covered entity is required to send it.
Suggestions • Cover all agents who hold phi of other people under HIPAA. Treat them as covered entities. • During emergency the patient data should be available easily to any person who can help at that moment. Surprisingly there is no mention of emergency! • The system implementation at a hospital should be resilient to id thefts along with having all the security features in place.
Prolog as a model for compliance checker Cons: • Laws are not written to be logical!! • HIPAA specifies what to implement not how. • It definitely does not replace the human auditor • Difficult to formalize exactly, its based on interpretation and requires a lot of iterations of corrections.
Prolog as a model for compliance checker Pros: • Better than nothing • Easy to understand • Makes the job of the HIPAA auditor easy • Requires interpretation of the query log to obtain the proper insights. • Exhaustive search to test all the pathways in data transfer.