Towards a Framework for Tracking Legal Compliance in Healthcare Sepideh Ghanavati, Daniel Amyot, and Liam Peyton CAiSE’07, Trondheim

Presentation Overview Problem Complexity of documenting and managing compliance as legislation or business processes change. Target audience (Privacy) compliance managers, auditors, lawyers, business process modellers, requirements engineers… Contributions Requirements-oriented framework to model legislative compliance for business processes A meta-model (based on URN) that provides a set of compliance links A systematic method for tracking and managing compliance as legislation or business processes evolve Enhancements to existing modelling and traceability tools to support and validate these contributions Healthcare case study involving an Ontario hospital and privacy law Problem Complexity of documenting and managing compliance as legislation or business processes change. Contributions A requirements-oriented framework to aid in the understanding of legislative compliance for business processes, particularly in the area of healthcare. A URN-oriented meta-model that defines a new set of compliance links for modelling the legislative compliance of business processes. A systematic method for managing compliance as legislation or business processes evolve. Enhancements to existing modelling and traceability tools to support and validate these contributions. Healthcare case study involving an Ontario hospital and privacy law Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Motivation Compliance with different regulations is of primary concern for any organization when defining its business processes. $30B compliance business in 2007 [AMR Research, Feb’07] Many organizations, especially in healthcare, use a document-based method to track compliance. Document-based methods require much effort to document compliance and manage change, and yet they are usually incomplete. Model-based approaches have much potential for change management but are often separated from their source documents, which provide the final authority. First, why this topic is important. Everyday, new regulations and laws come in effect and compliance with these regulations is one of the major concern of organizations. However, the cost of compliance management is high and it goes up every year. At present, most organizations use a document-based approach to track compliance. Such an approach has a lot of deficiencies and requires a lot of effort to document and manage compliance and usually it is not complete. A model-based approach offers a possible alternative but due to the lack of links between models and between documents and models, it won’t help that much. Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Three Wishes… A framework that can model organizational policies, procedures and legislative documents in the same notation Support for useful links: within views of a model (goals and processes) between two models (organization and legislation) between models and legislation and other documents A way to manage the evolution of any part (legislation, business processes, etc.) in order to assess the global impact and ensure compliance in the new context To solve these issues, it is required to have an integrated framework to help model both organizational and legislative documents, and establish necessary links between the elements of models and documents. These links must be complete enough to help managing changes and ensuring compliance in the new contexts. Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Related Work Not all wishes are granted in existing frameworks! Darimont et al. use KAOS to model regulations with goals No real traceability between processes and legal model Rifaut et al. apply goal-based models for the compliance of financial systems to Basel II regulations Does not really provide any kind of traceability He et al. use ReCAPS to ensure policy- and requirements-compliant systems. Does not include business processes Breaux et al. use semantic parameterization to extract rights and obligations from the HIPAA privacy rules. No links to organization policies and procedures A lot of work been done in terms of modeling regulations, tracking and managing compliance. However, this work tends to focus on just one aspect (goals, business processes, legislation) rather than all in the aim of achieving a framework for privacy compliance. Breaux et al. [4] provide a methodology to extract rules and obligations from regulations but their work does not provide any link to the organization’s policies and procedures documents. Darimont et al. [6] apply the KAOS methodology to model regulations and they explain how to transform regulation documents to goals, objects and threats models. They provide a level of traceability between the source documents and these three models but this traceability is not expanded to the organization’s document. He et al. [15] apply ReCAPS to integrate the components of access control analysis, improve software quality and ensure policy- and requirements-compliant systems. This method provides traceability from source documents to the access control policies but it does not include business processes. The scope of this method is narrow and only focuses on the software development process. Rifaut et al. [24] apply goal-based models on the implementation of a financial system to ensure it is compliant with Basel II regulations. In their method, they divide organization and their business processes based on the organizational layers and assign the elements of the related goal model to those layers. However, their method does not provide any kind of traceability. The ORCA group [3] develops a system to help standardize the representation of compliance documents and they are providing a dynamic mapping between regulations and the internal policies of the organization. However, they still do not provide an integrated framework that includes both business processes and policies in a model at the same time. Note however that the ORCA project is still ongoing. Towards a Framework for Tracking Legal Compliance in Healthcare

Compliance Management Framework Modelling with the User Requirements Notation (URN) URN is being standardized by ITU-T (Z.150) and combines: Goal-oriented Requirement Language (GRL) Subset of i* syntax + NFR Framework evaluations Use Case Map (UCM) scenarios URN connects goals (why) and business processes (W4) Towards a Framework for Tracking Legal Compliance in Healthcare

Compliance Management Framework Provides a set of links to connect the policy and procedure documents of an organization to legislation documents Other links/models provide little return on investment Our requirements management framework lets organizations model their goals, procedures and legislative documents in the same modelling language. We also allow for the introduction of links that can be used to connect these models and documents to each other in order to help in documenting and managing compliance. This framework is composed of two models and several sets of links. The model of the organization includes the policy and procedure documents, a GRL model which models the goals and tasks of the organization and a UCM model which models the business processes. The GRL and UCM models are part of the user requirement notation which connects goals and business processes together. Legislation documents are modeled with GRL but not UCM. This is because of the nature of legislation which is not procedural. Between grl and ucm of the organization there are responsibility links which connect elements of the GRL to the UCM models. These models are also connected to the original document via source links. The legislation grl model is also connected to the source document through source links. Between the organization and legislation models 3 different links are created. Traceability links are created manually between elements of both GRL models. Compliance links connect the organization’s grl model and the original law and legislation documents. Finally, responsibility links relate the UCM model of the organization to the GRL model of the legislation. Towards a Framework for Tracking Legal Compliance in Healthcare

Compliance Management Framework Each model includes some internal links Source Links: Organization GRL and UCM models  Policy and procedure documents Legislation GRL model  Legislation documents Responsibility Links: UCM Model  GRL Model (of the healthcare organization) Towards a Framework for Tracking Legal Compliance in Healthcare

Compliance Management Framework Between the two models are 3 link sets used to establish and track compliance: Traceability Links (created manually): GRL model of organization  GRL model of legislation. Compliance Links (created automatically): GRL model of organization  the text document of law Responsibility Links (created automatically): UCM model of organization  GRL model of legislation Towards a Framework for Tracking Legal Compliance in Healthcare

Example of GRL Model for a Law Legislation Document A hospital shall not use the personal information of an individual unless a) it has the individual’s consent and b) the information is necessary for a lawful purpose. … Legislation Document GRL Model source Prevent from Unauthorized Use source Hospital Have Individual Consent Have Legal Purpose Towards a Framework for Tracking Legal Compliance in Healthcare

Example of URN Model for an Organization Softgoal Prevent from Unauthorized Use Completeness issues and inconsistencies could be detected during modelling… Goal Limit Use to Authorized User Task Actor Hospital Have Individual Consent Have Username and Password Component resp resp Responsibility Towards a Framework for Tracking Legal Compliance in Healthcare

URN Modelling with jUCMNav jUCMNav is a tool support to define GRL and UCM models and to create links between GRL and UCM elements. GRL and UCM are modeled in jUCMNav. Responsibility links between these organizational models are created manually. Individual URN models can be imported in DOORS, with internal links automatically created. The rest of the links are created manually or automatically in Telelogic DOORS after models and documents are imported into it. Towards a Framework for Tracking Legal Compliance in Healthcare

Traceability with Telelogic DOORS Telelogic DOORS (a Requirement Management System) provides tool support for establishing and exploiting links between different elements of the model. Towards a Framework for Tracking Legal Compliance in Healthcare

Evaluation of Link Types Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Framework Metamodel Metamodel extended to define links between URN models and between each URN model and its source document in the requirements management system (e.g. DOORS) Helps identify which elements of the legislation model are connected to elements of the organization model. Helps determine which links need to be created manually and which ones can be inferred automatically. In order to define which elements are linked together and also which type of links are created manually and which automatically, we defined a meta-model. Towards a Framework for Tracking Legal Compliance in Healthcare

Framework Metamodel (DOORS View) Organization Metamodel Law Metamodel For example, in the legislation model, the law document is divided into two objects, clauses and definitions. Clauses are linked to the intentional elements of the legislation and organization GRL model via source and compliance links respectively. In addition, we can identify that some links can be inferred by transitivity. These are compliance and responsibility links between two models. Towards a Framework for Tracking Legal Compliance in Healthcare

Auto-Completion Mechanism Responsibility and compliance links (via DXL scripts), e.g.: For example, for compliance links, the actors of the organization are linked to those of the legislation via traces links. Similarly, the actors of the legislation and linked to their definitions via sources links. Therefore by transitivity, organization actors are linked to legislation definitions directly through complies links. The same happens for intentional elements and responsibility links. Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Healthcare Case Study Policies and procedures for accessing a healthcare data warehouse in a major teaching hospital in Ontario, Canada Focus on researchers as main information users Compliance to privacy legislation PHIPA: Personal Health Information Privacy Act (Ontario) Aims to protect privacy and confidentiality of personal health information while facilitating the healthcare provision. Set of rules for the collection, use and disclosure of personal health information. 75 sections, amended five times since 2004. Towards a Framework for Tracking Legal Compliance in Healthcare

Case Study – PHIPA Compliance at Ontario Hospital PHIPA Document - HIC: Person or organization who has custody of PHI. A HIC may disclose PHI to a researcher if he/she, (a) submits: (i) an application, (ii) a research plan, (iii) a copy of REB approval (b) enters into the agreement … Hospital Document HIC Policy Document - All requests for data from data warehouse will be evaluated based on technical feasibility, data availability, resource availability and REB approval for research. Policy 2 … source resp traces complies source GRL Model of Hospital Protect Privacy and Confidentiality of Hospital Data Prevent Unauthorized Use and Disclosure Ensure Accountability of Data User Check Ethical Issues Get to An Agreement with Data User Request Form Check with Privacy and Confidentiality Legislations Users Safeguards DW Administrator REB Privacy Officer GRL Model of PHIPA Satisfy Privacy Regulations Protect Confidentiality Prevent Unautho - rized Disclosure Ask for Compliance Agreement Check Research Plan Adequate Safeguards Ethical Issues HIC And REB Approval REB Committee Limit Disclosure of Data UCM Model of Hospital X V [GiveUp] Reject requestForPHI Accept getToAnAgreement reviewRequest getRejection amendDocuments [NewRequest] Researcher Hospital resp Discrepencies could be detected during modelling… Towards a Framework for Tracking Legal Compliance in Healthcare

Evolution of Privacy Legislation or Business Processes The compliance links defined in the Requirement Management Framework help to manage the impact of different types of changes and help ensure that compliance is maintained. Both the legislation and business processes of the organizations can change. When the legislation is amended it will impact its GRL through source links. Then the impact of this change on the organization model can be traced via traceability or compliance links. Through responsibility links it can be shown which part of the UCM model has been affected. On the other hand when a part of the business process changes the organization has to make sure that it still complies with the legislation. This can be handled through responsibility links directly or by compliance or traceability links indirectly. Legislation Evolution Business Process Evolution Towards a Framework for Tracking Legal Compliance in Healthcare

Evolution of (Privacy) Legislation Different scenarios by which legislation documents can be amended: Addition of a New Clause The clause refers to an existing actor, softgoal, goal or task It introduces a new actor, softgoal, goal or task Modify a Clause with Links Delete a Clause with Links Modify a Clause without Links Towards a Framework for Tracking Legal Compliance in Healthcare

Example: Amendment to PHIPA (addition of a new clause) Towards a Framework for Tracking Legal Compliance in Healthcare

Managing Evolving Business Processes or Policies A policy or business process can evolve in 3 ways: Modification of an existing process or policy The existing process or policy has links to its GRL model and to the legislation GRL model The existing process or policy does not have links to its GRL model or legislation GRL model Addition of a new process or policy element Removal of a process or policy elements Towards a Framework for Tracking Legal Compliance in Healthcare

Example – Hospital Business Process Changed (modification of a UCM responsibility) Towards a Framework for Tracking Legal Compliance in Healthcare

Preliminary Analysis of the Framework Compliance Management Framework requires less effort for documenting compliance and managing evolution. More than compensates for modelling effort required Also provides best coverage and overall comprehensibility. Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Conclusions Tool-supported, URN-oriented framework to help document and maintain compliance between business processes and laws New inter-model and inter-document links Less effort and better coverage than other approaches when responding to change Some evaluation and validation done via a healthcare case study, with promising results so far S. Ghanavati’s thesis contains more examples and analysis results Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare Issues and Future Work Incomplete and expensive guidelines for creating URN models Need to model more situations Need to reduce the effort to model Explore existing goal mining/extraction techniques Involve lawyers (legislation model) validation and rules Limited case study (1 process, 1 law) Need more laws, business processes, and domains Can a legislation GRL model be reused across organizations? What if we have conflicting legal requirements? Usability study and scalability evaluation More quantitative measure of effort to model and exploit the links Just how much do automated links help? Ontology-based automatic linking? Need more independent assessment to avoid bias Towards a Framework for Tracking Legal Compliance in Healthcare