Towards Norm Classification: An Initial Analysis of HIPAA Breaches

Regulatory policies, like the US Health Insurance Portability and Accountability Act (HIPAA), impose the social norms mediated by software-intensive systems. Breaches, modeled as norm violations, can help elicit security and privacy requirements to prevent future system failures. This paper reports our initial analysis of 38 HIPAA breaches with the objective of classifying them into the different norm types: commitments, authorizations, or prohibitions. The results show only limited distinguishing power of textual features, and reveal the fundamental interchangeability of commitments and prohibitions.