Mining rule semantics to understand legislative compliance

Organizations in privacy-regulated industries (e.g. healthcare and financial institutions) face significant challenges when developing policies and systems that are properly aligned with relevant privacy legislation. We analyze privacy regulations derived from the Health Insurance Portability and Accountability Act (HIPAA) that affect information sharing practices and consumer privacy in healthcare systems. Our analysis shows specific natural language semantics that formally characterize rights, obligations, and the meaningful relationships between them required to build value into systems. Furthermore, we evaluate semantics for rules and constraints necessary to develop machine-enforceable policies that bridge between laws, policies, practices, and system requirements. We believe the results of our analysis will benefit legislators, regulators and policy and system developers by focusing their attention on natural language policy semantics that are implementable in software systems.

[1]  D. M. Sherman A Prolog model of the income tax act of Canada , 1987, ICAIL '87.

[2]  John F. Sowa,et al.  Conceptual Structures: Information Processing in Mind and Machine , 1983 .

[3]  Matthew W. Vail,et al.  An analysis of web site privacy policy evolution in the presence of HIPAA , 2004 .

[4]  Michael J. Maher,et al.  On the analysis of regulations using defeasible rules , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[5]  Annie I. Antón,et al.  Deriving semantic models from privacy policies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[6]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[7]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[8]  Holt Lh,et al.  Privacy of medical records. , 1980, The Record of the Association of the Bar of the City of New York.

[9]  Annie I. Antón,et al.  Analyzing Website privacy requirements using a privacy goal taxonomy , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[10]  Marek J. Sergot,et al.  The British Nationality Act as a logic program , 1986, CACM.

[11]  K. Menninger Law , 1984, Encyclopedia of Autism Spectrum Disorders.

[12]  H. Humphrey,et al.  Standards for privacy of individually identifiable health information. , 2003, Health care law monthly.

[13]  Ramakrishnan Srikant,et al.  An XPath-based preference language for P3P , 2003, WWW '03.

[14]  Roger C. Schank,et al.  Conceptual dependency: A theory of natural language understanding , 1972 .

[15]  Rebecca T. Mercuri The HIPAA-potamus in health care data security , 2004, CACM.

[16]  Kincho H. Law,et al.  Logic-based regulation compliance-assistance , 2003, ICAIL.

[17]  Marek J. Sergot,et al.  Deontic logic in the representation of law: Towards a methodology , 2004, Artificial Intelligence and Law.

[18]  Rebecca Herold,et al.  Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Final rule. , 2001, Federal register.

[19]  Tom M. van Engers POWER: using UML/OCL for modeling legislation - an application report , 2001, ICAIL '01.

[20]  Neha Jain,et al.  Specifying privacy policies with P3P and EPAL: lessons learned , 2004, WPES '04.

[21]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[22]  Lorrie Faith Cranor,et al.  Automated analysis of P3P-enabled Web sites , 2003, ICEC '03.

[23]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[24]  Fay Cobb Payton,et al.  Privacy of medical records: IT implications of HIPAA , 2000, CSOC.