Embed Size (px)
DESCRIPTION
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT. HIPAA. HIPAA of 1996. Medical Privacy - National Standards to Protect the Privacy of Personal Health Information. Regulation Text: 45 CFR Parts 160, 162, and 164 [ PDF 769KB] (Unofficial version, as amended through February 16, 2006). - PowerPoint PPT Presentation
Citation preview
HIPAAHEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT
HIPAA of 1996
Regulation Text: 45 CFR Parts 160, 162, and 164 [PDF 769KB]
(Unofficial version, as amended through February 16, 2006)
Medical Privacy - National Standards to Protect the Privacy of Personal Health Information
§ 164.502 Uses and disclosure of protected health information.
§ 164.506 Uses and disclosure to carry out treatment, payment or health care operations.
Personal Health Information
Covered Entity
Covered Entity
Business Associates
Patient
Parents
Minors
Relatives
Public Release
HIPAANurse
Doctor
Health Records
Patient
Prolog Policy Verifier
HIPAA translation
HIPAA LAW:164.502.a.1 (ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506;
PROLOG TRANSLATION:permitted_by_164_502_a_1_ii(A):- satisfy_164_502_a_1_ii(A), permitted_by_164_506(A). satisfy_164_502_a_1_ii(A):- has_purpose(A, healthcare); has_purpose(A, payment); has_purpose(A, treatment).
PROLOG TRANSLATION:inRole(shh, covered_entity).inRole(jd, intern).inRole(carla, nurse).inRole(j, janitor).
%TRANSITIVE CLOSURES:inRole(intern, doctor).inRole(doctor, covered_entity).
%RELATION:employee_of(jd, shh).parent_of(kid, cox).business_associate(seattle_grace, shh).
Lawyer Janitor Nurse Intern
Employees
Business Associate
Hospital FactsCovered Entities
Model All queries to prolog program consist of a
message that is passed between entities. a(to, from, about, type, purpose, in Reply to,
consented by)
What medication to give lukemia kid?
pbh(a(jd, carla, kid, phi, treatment, _, _)).Nurse Intern
Assumptions
Everything can be represented as messages. All fields are accurate. Ideal world with authenticated / authorized
identities. All information is passed through the system. Few parts like the ‘doctor believes in good
judgement’ could not be coded. The results and conclusions are based on the
amount of HIPAA we interpreted and coded.
Properties Can unauthorized insider get phi? Can outsider get phi?
Tests Verification of implementation. Runs individual
test cases. Exhaustive search Law cases: Very elaborate to code. Simple
ones were satisfied by HIPAA.
InRole(lawyer, individual).
Pbh(a(lawyer, shh, lawyer, phi))
InRole(X, individual)
Permitted_by_A_1_i(A)
msg_to_concerned(a(X,_,X,_)).
Pbh(A) :- Permitted_by_A_1_i(A).
X = lawyer
Pbh(A)
X = lawyer
msg_to_concerned(a(lawyer,_,lawyer,_).
Permitted_by_A_1_i(A) :- msg_to_concerned(A), msg_to_individual(A)
msg_to_individual(A)
Msg_to_individual(a(X, _, _ , _) :- InRole(X, individual).
1. Insider gaining PHI § 164.506 Uses and disclosures to carry out
treatment, payment, or health care operations. (c) Implementation specifications: Treatment, payment,
or health care operations. (1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care operations.
Covered Entity
Nurse
PHIDon’t go in that room as patient has SARS
2. Outsider gaining PHI § 164.502 Uses and disclosures of protected health
information: general rules. (a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.
(2) Required disclosures. A covered entity is required to disclose protected health information:
(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subpart.
Entire database of personal health infoFor compliance verification
doctor SecretaryCovered Entity
3. Insider then Outsider
doctorCovered Entity
Freelance journalist
In the Past Present
Potential Shortcomings
There are many such outside agents who could gain legitimate access to PHI and are not regulated by HIPAA after they gain access.
HIPAA does not regulate information once it leaves their definition of covered entity.
DISCLAIMER: All these shortcomings are based on what we looked at. Might be they are not there at all.
DOS Attack!!
To say that a predicate is NOT permitted the prolog checker need to verify it with all the given clauses.
Easy to implement a DOS attack on our implementation.
Rational reconstruction
Law itself is well structured
The purpose and relation of clauses are explicit
Past can send a message if it was consented to in the past by the
patient.
Present Can send PHI to other covered entities for health care
operations.
Future If the individual has requested for his PHI the covered entity
is required to send it.
Suggestions
Cover all agents who hold phi of other people under HIPAA. Treat them as covered entities.
During emergency the patient data should be available easily to any person who can help at that moment.
Surprisingly there is no mention of emergency! The system implementation at a hospital should
be resilient to id thefts along with having all the security features in place.
Prolog as a model for compliance checker
Cons: Laws are not written to be logical!! HIPAA specifies what to implement not how. It definitely does not replace the human auditor Difficult to formalize exactly, its based on
interpretation and requires a lot of iterations of corrections.
Prolog as a model for compliance checker
Pros: Better than nothing Easy to understand Makes the job of the HIPAA auditor easy Requires interpretation of the query log to
obtain the proper insights. Exhaustive search to test all the pathways in
data transfer.
