1 / 24

Towards a Framework for Tracking Legal Compliance in Healthcare

Towards a Framework for Tracking Legal Compliance in Healthcare. Sepideh Ghanavati, Daniel Amyot, and Liam Peyton CAiSE’07, Trondheim. Presentation Overview. Problem Complexity of documenting and managing compliance as legislation or business processes change. Target audience

egillespie
Download Presentation

Towards a Framework for Tracking Legal Compliance in Healthcare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards a Framework for Tracking LegalCompliance in Healthcare Sepideh Ghanavati, Daniel Amyot, and Liam Peyton CAiSE’07, Trondheim

  2. Presentation Overview • Problem • Complexity of documenting and managing compliance as legislation or business processes change. • Target audience • (Privacy) compliance managers, auditors, lawyers, business process modellers, requirements engineers… • Contributions • Requirements-oriented framework to model legislative compliance for business processes • A meta-model (based on URN) that provides a set of compliance links • A systematic method for tracking and managing compliance as legislation or business processes evolve • Enhancements to existing modelling and traceability tools to support and validate these contributions • Healthcare case study involving an Ontario hospital and privacy law Towards a Framework for Tracking Legal Compliance in Healthcare

  3. Motivation • Compliance with different regulations is of primary concern for any organization when defining its business processes. • $30B compliance business in 2007 [AMR Research, Feb’07] • Many organizations, especially in healthcare, use a document-based method to track compliance. • Document-based methods require much effort to documentcompliance and managechange, and yet they are usually incomplete. • Model-based approaches have much potential for change managementbut are often separated from their source documents, which provide the final authority. Towards a Framework for Tracking Legal Compliance in Healthcare

  4. Three Wishes… • A framework that can model organizational policies, procedures and legislative documents in the same notation • Support for useful links: • within views of a model (goals and processes) • between two models (organization and legislation) • between models and legislation and other documents • A way to manage the evolution of any part (legislation, business processes, etc.) in order to assess the global impact and ensure compliance in the new context Towards a Framework for Tracking Legal Compliance in Healthcare

  5. Related Work • Not all wishes are granted in existing frameworks! • Darimont et al. use KAOS to model regulations with goals • No real traceability between processes and legal model • Rifaut et al. apply goal-based models for the compliance of financial systems to Basel II regulations • Does not really provide any kind of traceability • He et al. use ReCAPS to ensure policy- and requirements-compliant systems. • Does not include business processes • Breaux et al. use semantic parameterization to extract rights and obligations from the HIPAA privacy rules. • No links to organization policies and procedures Towards a Framework for Tracking Legal Compliance in Healthcare

  6. Compliance Management Framework • Modelling with the User Requirements Notation (URN) • URN is being standardized by ITU-T (Z.150) and combines: • Goal-oriented Requirement Language (GRL) • Subset of i* syntax + NFR Framework evaluations • Use Case Map (UCM) scenarios • URN connects goals (why) and business processes (W4) Towards a Framework for Tracking Legal Compliance in Healthcare

  7. Compliance Management Framework • Provides a set of links to connect the policy and procedure documents of an organization to legislation documents • Other links/models provide little return on investment Towards a Framework for Tracking Legal Compliance in Healthcare

  8. Prevent from Unauthorized Use Have Legal Purpose Have Individual Consent Example of GRL Model for a Law • Legislation Document • A hospital shall not use the • personal information of an individual • unless • a) it has the individual’s consent and • b) the information is necessary for a lawful • purpose. • … Legislation Document GRL Model source source Hospital Towards a Framework for Tracking Legal Compliance in Healthcare

  9. Prevent from Unauthorized Use Limit Use to Authorized User Have Username and Password Have Individual Consent Example of URN Model for an Organization Softgoal Completeness issues and inconsistencies could be detected during modelling… Goal Task Actor Hospital Component resp resp Responsibility Towards a Framework for Tracking Legal Compliance in Healthcare

  10. URN Modelling with jUCMNav Towards a Framework for Tracking Legal Compliance in Healthcare

  11. Traceability with Telelogic DOORS Towards a Framework for Tracking Legal Compliance in Healthcare

  12. Evaluation of Link Types Towards a Framework for Tracking Legal Compliance in Healthcare

  13. Framework Metamodel • Metamodel extended to define links betweenURN models and betweeneach URN model and its source documentin the requirements management system (e.g. DOORS) • Helps identify which elements of the legislation model are connected to elements of the organization model. • Helps determine which links need to be created manually and which ones can be inferred automatically. Towards a Framework for Tracking Legal Compliance in Healthcare

  14. Framework Metamodel (DOORS View) Organization Metamodel Law Metamodel Towards a Framework for Tracking Legal Compliance in Healthcare

  15. Auto-Completion Mechanism • Responsibility and compliance links (via DXL scripts), e.g.: Towards a Framework for Tracking Legal Compliance in Healthcare

  16. Healthcare Case Study • Policies and procedures for accessing a healthcare data warehouse in a major teaching hospital in Ontario, Canada • Focus on researchers as main information users • Compliance to privacy legislation • PHIPA: Personal Health Information Privacy Act (Ontario) • Aims to protect privacy and confidentiality of personal health information while facilitating the healthcare provision. • Set of rules for the collection, use and disclosure of personal health information. • 75 sections, amended five times since 2004. Towards a Framework for Tracking Legal Compliance in Healthcare

  17. PHIPA Document Hospital Document PHIPA Document - HIC: Person or organization who has custody of PHI. HIC Policy Document - A HIC may disclose PHI to a researcher if he/she, (a) submits: - All requests for data from data warehouse (i) an application, will be evaluated based on technical (ii) a research plan, feasibility, data availability, resource (iii) a copy of REB approval complies availability and REB approval for research. Hospital Researcher (b) enters into the agreement - Policy 2 … … requestForPHI reviewRequest Accept GRL Model of Hospital Protect Privacy and Protect Privacy and getToAnAgreement Satisfy Privacy Satisfy Privacy Satisfy Privacy Protect Protect Protect Confidentiality of Confidentiality of X Regulations Regulations Regulations Confidentiality Confidentiality Confidentiality Hospital Data Hospital Data V source DW Administrator amendDocuments GRL Model of PHIPA X getRejection [NewRequest] Reject X source Ensure Ensure Prevent Prevent source Prevent Prevent Prevent Unautho Unautho Unautho - - - X Accountability Accountability [GiveUp] Unauthorized Use Unauthorized Use rized rized rized Disclosure Disclosure Disclosure of Data User of Data User and Disclosure and Disclosure REB Check Check Check Check Get to An Get to An Limit Disclosure Limit Disclosure Limit Disclosure Ethical Ethical Request Request Agreement Agreement of Data of Data of Data traces Issues Issues Form Form with Data User with Data User And And HIC HIC Privacy Officer Check Check Check with Privacy Check with Privacy Ask for Ask for Ask for Ask for Ask for Ask for Check Check Check resp Users Users and Confidentiality and Confidentiality Compliance Compliance Compliance REB REB REB Research Research Research Safeguards Safeguards Legislations Legislations Agreement Agreement Agreement Approval Approval Approval Plan Plan Plan resp UCM Model of Hospital resp And And resp REB Committee REB Committee Check Check Check Check Check Check Adequate Adequate Adequate Ethical Ethical Ethical Safeguards Safeguards Safeguards Issues Issues Issues Case Study – PHIPA Compliance at Ontario Hospital Discrepencies could be detected during modelling… Towards a Framework for Tracking Legal Compliance in Healthcare

  18. Evolution of (Privacy) Legislation • Different scenarios by which legislation documents can be amended: • Addition of a New Clause • The clause refers to an existing actor, softgoal, goal or task • It introduces a new actor, softgoal, goal or task • Modify a Clause with Links • Delete a Clause with Links • Modify a Clause without Links Towards a Framework for Tracking Legal Compliance in Healthcare

  19. Example:Amendment to PHIPA(addition of a new clause) Towards a Framework for Tracking Legal Compliance in Healthcare

  20. Managing Evolving Business Processes or Policies • A policy or business process can evolve in 3 ways: • Modification of an existing process or policy • The existing process or policy has links to its GRL model and to the legislation GRL model • The existing process or policy does not have links to its GRL model or legislation GRL model • Addition of a new process or policy element • Removal of a process or policy elements Towards a Framework for Tracking Legal Compliance in Healthcare

  21. Example – Hospital Business Process Changed (modification of a UCM responsibility) Towards a Framework for Tracking Legal Compliance in Healthcare

  22. Preliminary Analysis of the Framework • Compliance Management Framework requires less effort for documenting compliance and managing evolution. • More than compensates for modelling effort required • Also provides best coverage and overall comprehensibility. Towards a Framework for Tracking Legal Compliance in Healthcare

  23. Conclusions • Tool-supported, URN-oriented framework to help document and maintain compliance between business processes and laws • New inter-model and inter-document links • Less effort and better coverage than other approaches when responding to change • Some evaluation and validation done via a healthcare case study, with promising results so far • S. Ghanavati’s thesis contains more examples and analysis results Towards a Framework for Tracking Legal Compliance in Healthcare

  24. Issues and Future Work • Incomplete and expensive guidelines for creating URN models • Need to model more situations • Need to reduce the effort to model • Explore existing goal mining/extraction techniques • Involve lawyers (legislation model) validation and rules • Limited case study (1 process, 1 law) • Need more laws, business processes, and domains • Can a legislation GRL model be reused across organizations? • What if we have conflicting legal requirements? • Usability study and scalability evaluation • More quantitative measure of effort to model and exploit the links • Just how much do automated links help? • Ontology-based automatic linking? • Need more independent assessment to avoid bias Towards a Framework for Tracking Legal Compliance in Healthcare

More Related