Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas

Overview Previous Work SPIN Results Conclusions Project Overview HIPAA Overview Previous Work Verification Tool - SPIN Formalization Results Conclusions Further Work Overview

Previous Work SPIN Results Conclusions What is HIPAA? Timeline :main act is passed :HHS releases privacy rule : In response to criticism, HHS releases updated privacy rule Goals - Prevent malicious parties from obtaining protected health information (phi) -Allow flows of information necessary for health care -Allows patients reasonable discretion Overview

Previous Work SPIN Results Conclusions Privacy and Contextual Integrity Barth, Datta, Mitchell and Nissenbaum Uses typed, first order, linear temporal logic. With types  = Agent |Message | Property | Context With grammar: With invariants: With norms (e.g.): inrole(p1, covered-entity)  inrole(p2, individual)  (q = p2)  (t  phi) Previous Work

Overview Previous Work SPIN Results Conclusions Privacy APIs Previous Work Gunter, et al Defined a formalism for legal privacy rules “auditable privacy systems” Created a language (HRU) that preserved the subtleties of law and was accessible to non- experts Investigated several properties, found one “unexpected ambiguity” about patient consent Converted HRU to Promela and used SPIN verification

Overview Previous Work SPIN Results Conclusions Verification Tool SPIN SPIN = Simple Promela Interpreter Software verifier for parallel, distributed systems LTL model checker Promela Model M  Xspin LTL Translator Verifier Counter Example (Trace) SPIN

Overview Previous Work SPIN Results Conclusions Promela SPIN From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002 Promela = Protocol/Process Meta Language Communication via message channels (synchronous/asynchronous) Non deterministic scheduling of processes Model consists of Type declarations Channel declarations Variable declarations Process declarations [ init process ]

Overview Previous Work SPIN Results Conclusions Promela SPIN From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002 /*******#defines **************/ mtype { one}; mtype {pharmafrnd,frndpharma}; /*********global variables *************/ chan q[N] = [2] of { byte}; bool pharma_frnd=0; /************** processes ****************/ proctype pharmacist (chan friendin,friendout ){ byte mesg; end:do ::friendin?one(mesg) -> printf("pharmacist gets mesg frm friend \n"); ::friendout!one(mesg) -> printf("pharmacist sends mesg to friend \n"); ::break od }

Overview Previous Work SPIN Results Conclusions Promela SPIN From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002 proctype friend (chan pharmain,pharmaout){ byte mesg; end:do ::pharmain?one(mesg) -> pharma_frnd=1; printf("friends gets mesg frm pharmacist \n"); ::pharmaout!one(mesg) -> printf("friend sends mesg to pharmacist \n"); ::break od } /************init process**************/ init { atomic{ run friend(q[pharmafrnd],q[frndpharma]); run pharmacist(q[frndpharma],q[pharmafrnd]) } LTL property: <> pharma_frnd /* does the pharmacist send a message to the friend */

Overview Previous Work SPIN Results Conclusions Formalization Results Results Properties checked A friend cannot find out what medicine you're taking without your knowledge Your protected health information won't be transmitted to a third party who is not covered by HIPAA privacy rule A doctor may not disclose a patient’s record for TPO after the patient has denied consent. Approach: Check validity of ( HIPAA  Desired Property)

Overview Previous Work SPIN Results Conclusions Formalization Results Results A friend cannot find out what medicine you're taking without your knowledge. ( HIPAA  Desired Property) returns FALSE Desired Property inrole(p1, pharmacist)  inrole (q, patient)  inrole (p2, friend[q])  t  prescription  send(p1, p2, t)  (! send(q, p1, deny-identification) S send(q, p1, identify-friend)) HIPAA Norms § (b)(1) [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  t  phi  inrole(p2, familyfriend[q])  send(p1, p2, t)

Overview Previous Work SPIN Results Conclusions Formalization Results Results [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  t  phi  send(p1, p2, t)  (!send(q, p1, deny-identification) S send(q, p1, identify-friend)) § (b)(2) [Negative Norm] inrole(q, patient)  inrole(p1, hcp)  t  phi  available-sane- agrees(q)  send(q, p1, object-disclosure[t])   !send(p1, p2, t) § (b)(3) [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  t  phi  !available-sane- authorize(q)  uses-professional-judgment(p1)  !send(p1, p2, t)

Overview Previous Work SPIN Results Conclusions Results Formalization Results DISCLOSE

Overview Previous Work SPIN Results Conclusions Formalization Results Results Your protected health information won't be transmitted to a third party who is not covered by HIPAA privacy rule ( HIPAA  Desired Property) returns FALSE Desired Property inrole(p1, hcp)  inrole(q, patient)  t  phi  send(p1, p2, t)  incontext(p2, covered-entity) HIPAA Norms § (c)(1)[Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  t  phi  send(p1, p2, t)  disclosure-for-TPO(p1, t)

Overview Previous Work SPIN Results Conclusions Formalization Results Results § (c)(2) [Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  t  phi  send(p1, p2, t)  disclosure- for-T(p2, t) § (c)(3) [Positive Norm] inrole(p1, hcp)  (inrole(p2, hcp)  incontext(p2, covered-entity))  t  phi  send(p1, p2, t)  disclosure-for-P(p2, t) § (c)(4) [Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  inrole(q, patient)  t  phi  has- relationship(q, p2)  send(p1, p2, t)  disclosure-for-TPO(p2, t) § (c)(5)[Positive Norm] inrole(p1, hcp)  inrole(p2, hcp)  t  phi  send(p1, p2, t)  incontext(p1, covered-entity)  incontext(p2, covered-entity)  disclosure-for-O(p2, t)

Overview Previous Work SPIN Results Conclusions Formalization Results Results Covered entityNon-covered entity

Overview Previous Work SPIN Results Conclusions Formalization Results Results A doctor may not disclose a patient’s record for TPO after the patient has denied consent (HIPAA -> Desired Property) returns FALSE Desired Property inrole(q, patient)  inrole(p1, hcp)  t  phi  send(p1, p2, t)  (!send(q, p1, deny-consent) S send (q, p1, consent)) HIPAA Norms § (a)(1) [Positive Norm] inrole(q, patient)  inrole(p1, hcp)  t  phi  ( send(p1, q, consent- request)  ! send(p1, q, consent-request) )  send(p1, p2, t) § (a)(2) [Negative Norm] inrole(q, patient)  inrole(p1, hcp)  t  authorization-requiring-phi  ! send(q,p1, authorization)  !send(p1,p2,t)

Overview Previous Work SPIN Results Conclusions Formalization Results Results REQ DENY TPO

Overview Previous Work SPIN Results Conclusions HIPAA Specific: The HIPAA privacy rule is generally comprehensive and well- specified. However, the prose law does contain many ambiguous clauses. And, in at least 3 ways, HIPAA fails to require expected protections of health information. Procedural: SPIN, despite some troublesome flaws (lack of past operators, memory constraints), was a good choice for this analysis. The methods of “Privacy & Contextual Integrity” are useful for consistently parsing prose law into LTL formulae. 3 is not a crowd