More Web Proxy on the site http://driver.im/

research-article

UCON_LEGAL: a usage control model for HIPAA

Authors:

Jon DoyleAuthors Info & Claims

IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

Pages 227 - 236

https://doi.org/10.1145/2110363.2110391

Published: 28 January 2012 Publication History

Abstract

Developing an access control system that satisfies the requirements expressed in regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), can help ensure regulatory compliance in software systems. A usage control model that specifies the rules governing information access and usage, as expressed in law, is an important step towards achieving such compliance. Software systems that handle health records must comply with regulations in the HIPAA Privacy and Security Rules. Herein, we analyze the HIPAA Privacy Rule using a grounded theory methodology coupled with an inquiry driven approach to determine the components that must be supported by a usage control model to achieve regulatory-compliant health records usage. In this paper, we propose a usage control model, UCON_LEGAL, which extends UCON_ABC with components to model purposes, cross-references, exceptions, conditions, and logs. We also employ UCON_LEGAL to show how to express the access and usage rules we identified in the HIPAA Privacy Rule. Our analysis yielded seven types of conditions specific to HIPAA that we include in UCON_LEGAL; these conditions were previously unsupported by existing usage control models.

References

[1]

American Recovery and Reinvestment Act. 2009. http://www.gpo.gov/fdsys/pkg/PLAW-111publ5/pdf/PLAW-111publ5.pdf.

[2]

Barth, A., Datta, A., Mitchell, J. C. and Nissenbaum, H. 2006. Privacy and Contextual Integrity: Framework and Applications. 27th IEEE Symp. on Security and Privacy (Oakland, CA, USA, May 21-24, 2006).184--198. DOI= http://dx.doi.org/10.1109/SP.2006.32.

Digital Library

[3]

Breaux, T. D., Vail, M., Antón, A. I. 2006. Towards compliance: Extracting rights and obligations to align requirements with regulations. 14th IEEE Int'l Conf. on Req'ts Eng. (Minneapolis, USA, Sept. 11-15, 2006) 49--58. DOI= http://dx.doi.org/10.1109/RE.2006.68.

Digital Library

[4]

Breaux, T. D. and Antón, A. I. 2008. Analyzing Regulatory Rules for Privacy and Security Requirements. IEEE Trans. on Soft. Eng., 34, 1 (Jan., 2008), 5--20. DOI= http://dx.doi.org/10.1109/TSE.2007.70746.

Digital Library

[5]

Byun, J., Bertino, E., Li, N. 2005. Purpose based access control of complex data for privacy protection. 10th ACM Symp. on Access Control Models and Technologies (Stockholm, Sweden, June 1-3, 2005). ACM, New York, NY, 102--110. DOI= http://doi.acm.org/10.1145/1063979.1063998.

Digital Library

[6]

California Department of Public Health. 2010. http://www.cdph.ca.gov/Pages/NR10-039.aspx.

[7]

Glaser, B. G. 1978. Theoretical Sensitivity. Sociology Press, Mill Valley.

[8]

Glaser, B. G. and Strauss, A. L. 1967. The discovery of grounded theory: Strategies for qualitative researchy. Aldine Transaction, Chicago.

[9]

Gramm-Leach-Bliley Act. 1999. http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf.

[10]

Harrison, M. H., Ruzzo, W. L., and Ullman, J. D. 1976. Protection in operating systems. Communications of the ACM, 19, 8 (Aug., 1976). 461--471. DOI= http://doi.acm.org/10.1145/360303.360333.

Digital Library

[11]

He, Q. 2003. Privacy Enforcement with an Extended Role-Based Access Control Model. Technical Report# TR-2003-09. North Carolina State University.

Digital Library

[12]

Maxwell, J. C. and Antón, A. I. 2009. Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts. 17th IEEE Int'l Conf. on Req'ts Eng. (Atlanta, GA, USA, Aug. 31- Sept. 4, 2009). 101--110. DOI= http://dx.doi.org/10.1109/RE.2009.21.

Digital Library

[13]

Maxwell, J. C., Antón, A. I., and Swire, P. 2011. A Legal Cross-References Taxonomy for Identifying Conflicting Software Requirements. To Appear: 19th IEEE Int'l Conf. on Req'ts Eng. (Trento, Italy, Aug. 29 - Sept. 2, 2011).

Digital Library

[14]

May, M. J., Gunter, C. A., Lee, I. 2006. Privacy APIs: access control techniques to analyze and verify legal privacy policies. 19th IEEE Comp. Security Found. Workshop (Venice, Italy, July 5-7, 2006). 85--97. DOI= http://dx.doi.org/10.1109/CSFW.2006.24.

Digital Library

[15]

Ni, Q., Trombetta, A., Bertino, E., and Lobo, J. 2007. Privacy-aware Role Based Access Control. 12th ACM Symp. on Access Control Models and Technologies (Sophia Antipolis, France, June 20-22, 2007). ACM, New York, NY, 41--50. DOI= http://doi.acm.org/10.1145/1266840.1266848.

Digital Library

[16]

Otto, P. N. and Antón, A. I. 2007. Addressing Legal Requirements in Requirements Engineering. IEEE Int'l Conf. on Req'ts Eng. (New Delhi, India, Oct. 15-19, 2007). 5--14. DOI= http://dx.doi.org/10.1109/RE.2007.65.

[17]

Park, J. and Sandhu, R. 2002. Towards usage control models: beyond traditional access control. 7th ACM Symp. on Access Control Models and Technologies (California, USA, June 3-4, 2002). ACM, New York, NY, 57--64. DOI= http://doi.acm.org/10.1145/507711.507722.

Digital Library

[18]

Park, J. and Sandhu, R. S. 2004. The UCONABC usage control model. ACM Trans. on Info. and Sys. Sec., 7, 1 (February 2004). 128--174. DOI= http://doi.acm.org/10.1145/984334.984339.

Digital Library

[19]

Potts, C., Takahashi, K., Antón, A. I. 1994. Inquiry-based requirements analysis. IEEE Software, 11, 2 (Mar, 1994). 21--32. DOI= http://dx.doi.org/10.1109/52.268952.

Digital Library

[20]

Samarati, P. and Vimercati, S. D. 2001. Access Control: Policies, Models, and Mechanisms. In Lecture Notes In Computer Science, 2171. Springer-Verlag, London. 137--196.

Digital Library

[21]

Sandhu, R. S. 1992. The typed access matrix model. 13th IEEE Symp. on Research in Security and Privacy (Oakland, CA, USA, May 4-6, 1992). 122--136. DOI= http://dx.doi.org/10.1109/RISP.1992.213266.

Digital Library

[22]

Sandhu, R. S. 1993. Lattice-based access control models. IEEE Computer, 26, 11 (Nov. 1993). 9--19. DOI= http://dx.doi.org/10.1109/2.241422.

Digital Library

[23]

Sandhu, R., Ferraiolo, D., and Kuhn, R. 2000. The NIST model for role-based access control: Towards a unified standard. 5th ACM Workshop on Role-based Access Control (Berlin, Germany, July 26-28, 2000). 47--63. DOI= http://doi.acm.org/10.1145/344287.344301.

Digital Library

[24]

Yin, R. K. 2009. Case Study Research: Design and Methods, Applied Social Research Methods Series, Sage Publications, Thousand Oaks, CA.

[25]

Young, J. D. and Antón, A. I. 2010. A Method for Identifying Software Requirements Based on Policy Commitments. 18th IEEE Int'l Conf. on Req'ts Eng. (Sydney, Australia, Sept. 27-Oct. 1, 2010). 47--56. DOI= http://dx.doi.org/10.1109/RE.2010.17.

Digital Library

[26]

U.S. Department of Health and Human Services Office for Civil Rights. 2006. HIPAA Administrative Simplification, http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf.

[27]

U.S. Department of Health and Human Services. 2011. HHS Imposes a $4.3 Million Civil Money Penalty for HIPAA Privacy Rule Violations. http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html.

[28]

Zhang, X. 2003. Formal model and analysis of usage control. Doctoral Dissertation, George Mason University, Fairfax, VA, USA.

Digital Library

Cited By

Akaichi IKirrane S(2025)A comprehensive review of usage control frameworksComputer Science Review10.1016/j.cosrev.2024.10069856(100698)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100698
Shaqrah ANoor T(2020)A Conceptual Framework for an Extension Access Control Models in Saudi Arabia Healthcare SystemsData Analytics in Medicine10.4018/978-1-7998-1204-3.ch010(182-193)Online publication date: 2020
https://doi.org/10.4018/978-1-7998-1204-3.ch010
Shaqrah ANoor T(2018)A Conceptual Framework for an Extension Access Control Models in Saudi Arabia Healthcare SystemsInternational Journal of Knowledge-Based Organizations10.4018/IJKBO.20180401048:2(42-52)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.4018/IJKBO.2018040104

Index Terms

UCON_LEGAL: a usage control model for HIPAA
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Government technology policy
      1. Governmental regulations

Recommendations

A legal cross-references taxonomy for identifying conflicting software requirements
RE '11: Proceedings of the 2011 IEEE 19th International Requirements Engineering Conference

Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from noncompliance. Laws and regulations contain internal cross-references to portions of ...
The Rule of Law and Compliance: Legal Quadrant and Conceptual Clustering
AI Approaches to the Complexity of Legal Systems XI-XII
Abstract
We present in this paper: (i) a regulatory quadrant to describe the rule of law; (ii) a cluster of concepts to describe instruments and processes of the law; (iii) the methodology followed to select the technical papers concerning regulatory ...
Usage Control Enforcement: Present and Future

Both personal data and intellectual property must be protected for various reasons. The authors explore the state of the art in usage control, which is about controlling the use of such data after it has been given away, and identify room for ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

January 2012

914 pages

ISBN:9781450307819

DOI:10.1145/2110363

General Chairs:
Gang Luo
IBM Research, USA
,
Jiming Liu
Hong Kong Baptist University
,
Program Chair:
Christopher C. Yang
Drexel University

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGHIT: ACM Special Interest Group on Health Informatics

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 January 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IHI '12

Sponsor:

SIGHIT

IHI '12: ACM International Health Informatics Symposium

January 28 - 30, 2012

Florida, Miami, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
267
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Akaichi IKirrane S(2025)A comprehensive review of usage control frameworksComputer Science Review10.1016/j.cosrev.2024.10069856(100698)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100698
Shaqrah ANoor T(2020)A Conceptual Framework for an Extension Access Control Models in Saudi Arabia Healthcare SystemsData Analytics in Medicine10.4018/978-1-7998-1204-3.ch010(182-193)Online publication date: 2020
https://doi.org/10.4018/978-1-7998-1204-3.ch010
Shaqrah ANoor T(2018)A Conceptual Framework for an Extension Access Control Models in Saudi Arabia Healthcare SystemsInternational Journal of Knowledge-Based Organizations10.4018/IJKBO.20180401048:2(42-52)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.4018/IJKBO.2018040104

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents