HIPAA - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA

Description:

hipaa health insurance portability and accountability act – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 19
Provided by: shas165
Category:

less

Transcript and Presenter's Notes

Title: HIPAA


1
HIPAA
  • HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
    ACT

2
HIPAA of 1996
Medical Privacy - National Standards to Protect
the Privacy of Personal Health Information
  • Regulation Text 45 CFR Parts 160, 162, and 164
    PDF 769KB
  • (Unofficial version, as amended through February
    16, 2006)
  • 164.502 Uses and disclosure of protected health
    information.
  • 164.506 Uses and disclosure to carry out
    treatment, payment or health care operations.

3
Personal Health Information
4
HIPAA translation
  • HIPAA LAW
  • 164.502.a.1 (ii) For treatment, payment, or
    health care operations, as permitted by and in
    compliance with 164.506
  • PROLOG TRANSLATION
  • permitted_by_164_502_a_1_ii(A)-
  • satisfy_164_502_a_1_ii(A),
  • permitted_by_164_506(A).
  • satisfy_164_502_a_1_ii(A)-
  • has_purpose(A, healthcare)
  • has_purpose(A, payment)
  • has_purpose(A, treatment).

5
Hospital Facts
Covered Entities
  • PROLOG TRANSLATION
  • inRole(shh, covered_entity).
  • inRole(jd, intern).
  • inRole(carla, nurse).
  • inRole(j, janitor).
  • TRANSITIVE CLOSURES
  • inRole(intern, doctor).
  • inRole(doctor, covered_entity).
  • RELATION
  • employee_of(jd, shh).
  • parent_of(kid, cox).
  • business_associate(seattle_grace, shh).

Business Associate
Employees
Lawyer
Janitor
Nurse
Intern
6
Model
  • All queries to prolog program consist of a
    message that is passed between entities.
  • a(to, from, about, type, purpose, in Reply to,
    consented by)

What medication to give lukemia kid?
Nurse
Intern
pbh(a(jd, carla, kid, phi, treatment, _, _)).
7
Assumptions
  • Everything can be represented as messages.
  • All fields are accurate.
  • Ideal world with authenticated / authorized
    identities.
  • All information is passed through the system.
  • Few parts like the doctor believes in good
    judgement could not be coded.
  • The results and conclusions are based on the
    amount of HIPAA we interpreted and coded.

8
Properties
  • Can unauthorized insider get phi?
  • Can outsider get phi?

Tests
  • Verification of implementation. Runs individual
    test cases.
  • Exhaustive search
  • Law cases Very elaborate to code. Simple ones
    were satisfied by HIPAA.

9
(No Transcript)
10
1. Insider gaining PHI
  • 164.506 Uses and disclosures to carry out
    treatment, payment, or health care operations.
  • (c) Implementation specifications Treatment,
    payment, or health care operations.
  • (1) A covered entity may use or disclose
    protected health information for its own
    treatment, payment, or health care operations.

PHI Dont go in that room as patient has SARS
Nurse
Covered Entity
11
2. Outsider gaining PHI
  • 164.502 Uses and disclosures of protected
    health information general rules.
  • (a) Standard. A covered entity may not use or
    disclose protected health information, except as
    permitted or required by this subpart or by
    subpart C of part 160 of this subchapter.
  • (2) Required disclosures. A covered entity is
    required to disclose protected health
    information
  • (ii) When required by the Secretary under subpart
    C of part 160 of this subchapter to investigate
    or determine the covered entity's compliance with
    this subpart.

Entire database of personal health info For
compliance verification
doctor
Secretary
Covered Entity
12
3. Insider then Outsider
doctor
Freelance journalist
Covered Entity
In the Past
Present
13
Potential Shortcomings
  • There are many such outside agents who could gain
    legitimate access to PHI and are not regulated by
    HIPAA after they gain access.
  • HIPAA does not regulate information once it
    leaves their definition of covered entity.
  • DISCLAIMER All these shortcomings are based on
    what we looked at. Might be they are not there at
    all.

14
DOS Attack!!
  • To say that a predicate is NOT permitted the
    prolog checker need to verify it with all the
    given clauses.
  • Easy to implement a DOS attack on our
    implementation.

15
Rational reconstruction
  • Law itself is well structured
  • The purpose and relation of clauses are explicit
  • Past
  • can send a message if it was consented to in the
    past by the patient.
  • Present
  • Can send PHI to other covered entities for health
    care operations.
  • Future
  • If the individual has requested for his PHI the
    covered entity is required to send it.

16
Suggestions
  • Cover all agents who hold phi of other people
    under HIPAA. Treat them as covered entities.
  • During emergency the patient data should be
    available easily to any person who can help at
    that moment.
  • Surprisingly there is no mention of emergency!
  • The system implementation at a hospital should be
    resilient to id thefts along with having all the
    security features in place.

17
Prolog as a model for compliance checker
  • Cons
  • Laws are not written to be logical!!
  • HIPAA specifies what to implement not how.
  • It definitely does not replace the human auditor
  • Difficult to formalize exactly, its based on
    interpretation and requires a lot of iterations
    of corrections.

18
Prolog as a model for compliance checker
  • Pros
  • Better than nothing
  • Easy to understand
  • Makes the job of the HIPAA auditor easy
  • Requires interpretation of the query log to
    obtain the proper insights.
  • Exhaustive search to test all the pathways in
    data transfer.
Write a Comment
User Comments (0)
About PowerShow.com