Towards a Framework for Tracking Legal Compliance in Healthcare Sepideh Ghanavati, Daniel Amyot, and Liam Peyton CAiSE’07, Trondheim

Towards a Framework for Tracking Legal

Compliance in Healthcare

Sepideh Ghanavati, Daniel Amyot, and Liam Peyton

CAiSE’07, Trondheim

Towards a Framework for Tracking Legal Compliance in Healthcare

Presentation Overview

• Problem– Complexity of documenting and managing compliance as legislation

or business processes change.• Target audience

– (Privacy) compliance managers, auditors, lawyers, business process modellers, requirements engineers…

• Contributions– Requirements-oriented framework to model legislative compliance for

business processes– A meta-model (based on URN) that provides a set of compliance

links– A systematic method for tracking and managing compliance as

legislation or business processes evolve– Enhancements to existing modelling and traceability tools to support

and validate these contributions– Healthcare case study involving an Ontario hospital and privacy law


Motivation

• Compliance with different regulations is of primary concern for any organization when defining its business processes.– $30B compliance business in 2007 [AMR Research, Feb’07]

• Many organizations, especially in healthcare, use a document-based method to track compliance.

• Document-based methods require much effort to document compliance and manage change, and yet they are usually incomplete.

• Model-based approaches have much potential for change management but are often separated from their source documents, which provide the final authority.


Three Wishes…

• A framework that can model organizational policies, procedures and legislative documents in the same notation

• Support for useful links:– within views of a model (goals and processes)– between two models (organization and legislation)– between models and legislation and other documents

• A way to manage the evolution of any part (legislation, business processes, etc.) in order to assess the global impact and ensure compliance in the new context


Related Work

• Not all wishes are granted in existing frameworks!

• Darimont et al. use KAOS to model regulations with goals– No real traceability between processes and legal model

• Rifaut et al. apply goal-based models for the compliance of financial systems to Basel II regulations– Does not really provide any kind of traceability

• He et al. use ReCAPS to ensure policy- and requirements-compliant systems. – Does not include business processes

• Breaux et al. use semantic parameterization to extract rights and obligations from the HIPAA privacy rules.– No links to organization policies and procedures


Compliance Management Framework

• Modelling with the User Requirements Notation (URN)• URN is being standardized by ITU-T (Z.150) and combines:

– Goal-oriented Requirement Language (GRL)• Subset of i* syntax + NFR Framework evaluations

– Use Case Map (UCM) scenarios• URN connects goals (why) and business processes (W4)


Compliance Management Framework

• Provides a set of links to connect the policy and procedure documents of an organization to legislation documents

• Other links/models provide little return on investment

GRL- Softgoals, Goals, Tasks and Actors

UCM- Business Processes

Law and Legislation Documents

Policies and Procedure Documents

GRL- Softgoals, Goals, Tasks and Actors

1- Traceability Link2- C

ompliance Link

3- Responsibility

Link

Legislation Model

Sou

rce

Link Source Link Source Link

Responsibility Link

Organization Model


Example of GRL Model for a Law

Legislation Document

- A hospital shall not use the personal information of an individual unless- a) it has the individual’s consent and -b) the information is necessary for a lawful purpose. …

Legislation Document

sou

rcesou

rce GRL Model

Prevent from Unauthorized

Use

Have Legal Purpose

Have Individual Consent

Hospital


Example of URN Model for an Organization

Prevent from Unauthorized

Use

Have Username

and PasswordHave Individual

Consent

Limit Use to Authorized

User

Hospital

resp

Softgoal

Goal

Task

Actor

Responsibility

Componentresp

Completeness issues and inconsistencies could be

detected during modelling…


URN Modelling with jUCMNavUCM View GRL View

Scenarios and Strategies

Properties


Traceability with Telelogic DOORS

Folder

Formal Module

Link Module

Project

Link Indicator

Object Heading

“Changed this session”change-bar, unsaved (red)

“Changed since baseline”change-bar, saved (yellow)

“No change since baseline”change-bar (green) Object Text

Suspect Link


Evaluation of Link Types

Links

Criteria

Traceability Link Compliance Link Responsibility Link

Granularity Softgoals, Goals, Tasks &

Actors Legislative Text

Responsibilities, Components (Actors), Maps (Operational

Processes)

Functionality Handle Traceability of

Non-Functional Requirements and Tasks

Handle Exceptions and Constraints

Handle Traceability of Business Processes

Quantity of Manual Links

Many Small Small

Precision Precise Very Precise Very Precise

Difficulty Moderate Difficult Moderate

Importance of Completeness

Very Important Not Important Very Important


Framework Metamodel

• Metamodel extended to define links between URN models and between each URN model and its source document in the requirements management system (e.g. DOORS)

• Helps identify which elements of the legislation model are connected to elements of the organization model.

• Helps determine which links need to be created manually and which ones can be inferred automatically.


Framework Metamodel (DOORS View)Organization Metamodel

Law Metamodel

Organization Model

IntentionalElement

IntentionalElementRef

GRLdiagram

Responsibility

Actor

ActorRef RespRef

Component

ComponentRef

UCMmap

Stub

ref

refines

resp

ref ref ref

boundToboundTo

refinesrefines

resp

resp

1..* 1..*

0..* 0..*

0..*0..*

0..* 0..*

Association

0..*

0..*

0..*

0..*

0..*

0..*

refines

refines

0..*

0..*

PoliciyProcedureDocument1..*

sou

rce

0..1

0..10..*0..*

Legislation Model

IntentionalElement

IntentionalElementRef

GRLdiagram

Actor

ActorRef

ref ref

boundTo

refines

1..*

0..*

0..*

Association

refines

refines

0..*

0..*

Clause Definition

LawDocument

1..*

0..*

1..* 1..*

source

0..*

source0..*

0..1

traces

complies resp

Link legendManual-jUCMNavManual-DOORSAutomated-jUCMNavManual andautomated-DOORS


Auto-Completion Mechanism

• Responsibility and compliance links (via DXL scripts), e.g.:

Organization-Actor Legislation-Actor Legislation-Definitiontraces sources

complies

automated

Organization-Intentional Element

Legislation-Intentional Element

Legislation-Clausetraces sources

complies

automated


Healthcare Case Study

• Policies and procedures for accessing a healthcare data warehouse in a major teaching hospital in Ontario, Canada– Focus on researchers as main information users

• Compliance to privacy legislation

• PHIPA: Personal Health Information Privacy Act (Ontario)– Aims to protect privacy and confidentiality of personal health

information while facilitating the healthcare provision.– Set of rules for the collection, use and disclosure of

personal health information.– 75 sections, amended five times since 2004.


Case Study – PHIPA Compliance at Ontario Hospital

GRL Model of PHIPA

Satisfy PrivacyRegulations

ProtectConfidentiality

Prevent Unautho-rized Disclosure

Ask for ComplianceAgreement

Check Research

Plan

Check Adequate

Safeguards

Check Ethical Issues

HIC

And

And

Ask for REB

Approval

REB Committee

Limit Disclosureof Data









Check Research

Plan

Check Research

Plan

Check Adequate

Safeguards

Check Adequate

Safeguards



HIC

And

And

Ask for REB

Approval

Ask for REB

Approval

REB Committee



GRL Model of Hospital

Protect Privacy andConfidentiality of

Hospital Data


Hospital Data

PreventUnauthorized Use

and Disclosure

PreventUnauthorized Use

and Disclosure

EnsureAccountabilityof Data User

EnsureAccountabilityof Data User



Get to An Agreement

with Data User

Get to An Agreement

with Data User

Check Request

Form

Check Request

Form

Check with Privacy and Confidentiality

Legislations

Check with Privacy and Confidentiality

Legislations

Check Users

Safeguards

Check Users

Safeguards

DW Administrator

REB

Privacy Officer

Hospital Document HIC Policy Document

- All requests for data from data warehouse will be evaluated based on technical feasibility, data availability, resource availability and REB approval for research.

-Policy 2…

PHIPA Document

PHIPA Document-HIC: Person or organization who has custody of PHI.- A HIC may disclose PHI to a researcher if he/she,

(a) submits:(i) an application,(ii) a research plan, (iii) a copy of REB approval

(b) enters into the agreement…

sour

ce

sour

ce

sour

ce

resp

resp

traces

complies

UCM Model of Hospital

X

X

X

X V

[GiveUp]

Reject

requestForPHI

Accept getToAnAgreement

reviewRequest

getRejectionamendDocuments

[NewRequest]

Researcher Hospitalresp

resp

Discrepencies could be detected during modelling…


Evolution of (Privacy) Legislation

• Different scenarios by which legislation documents can be amended:

– Addition of a New Clause• The clause refers to an existing actor, softgoal, goal or

task• It introduces a new actor, softgoal, goal or task

– Modify a Clause with Links

– Delete a Clause with Links

– Modify a Clause without Links


Example:Amendment to PHIPA

(addition of a new clause)

PHIPA Document-HIC: Person or organization who has custody

of PHI.

-A research plan must be in writing and set out, a) the affiliation of each person involved in the

researchb) the nature and objectives of the research

c) Information as to how and when the PHI will be disposed of or returned to the HIC.

d) A description of the reasonably foreseeableharms and benefits that may arise from

the use of the PHI

Add a New Clause

source

PHIPA Model

Add a New Task

in1 getTheForm filloutTheForm

submitREBDocuments

submitApplicationreceiveDocuments out

Researcher Hospital

respresp

Impact on GRL

Impact on UCM

Impact on GRL

Set Rules for Disclosure

Set Rules for Disclosure

Satisfy Privacy Regulation

Satisfy Privacy Regulation

Prevent Unauthorized Disclosure

Prevent Unauthorized Disclosure

Ask for Compliance Agreement

Ask for Compliance Agreement

Ask for REB

Approval

Ask for REB

Approval

Ask for Research

Plan

Ask for Research

Plan

Check Nature and Objective

Check Nature and Objective

Check Affilliation of

People Involved

Check Affilliation of

People Involved

Protect Confidentiality

Protect Confidentiality

And

And

HIC


Hospital Data


Hospital Data



Reach An Agreement with Data

User

Reach An Agreement with Data

User

Review User’s Technical

Competency

Review User’s Technical

Competency

DW Administrator

REB

Privacy Officer

Check Requested Data Type

Check Requested Data Type

Hospital Model

Audit Safeguards

Audit Safeguards

Check Research

Plan

Check Research

Plan

Check Users

Safeguards

Check Users

Safeguards

complies

Check Disposal Method

Check Disposal Method

Prevent Unauthorized Use

and Disclosure

Prevent Unauthorized Use

and Disclosure

Ensure Securityof Data

Ensure Securityof Data

Ensure Accountabilityof Data User

Ensure Accountabilityof Data User


Managing Evolving Business Processes or Policies

• A policy or business process can evolve in 3 ways:

– Modification of an existing process or policy• The existing process or policy has links to its GRL model

and to the legislation GRL model• The existing process or policy does not have links to its

GRL model or legislation GRL model

– Addition of a new process or policy element

– Removal of a process or policy elements


Example – Hospital Business Process Changed

(modification of a UCM responsibility)


Preliminary Analysis of the Framework• Compliance Management Framework requires less effort for

documenting compliance and managing evolution.

– More than compensates for modelling effort required

• Also provides best coverage and overall comprehensibility.

Document-based

Model-basedFull Compliance

Framework

No Model and No Link

Models but No Link

Models, Documents and Links

Modeling Zero High High

Documenting Compliance

Highest High Low

Managing Evolution

Highest High Low

Modeling Complete Almost Complete Complete

Documenting Compliance

Almost Zero Incomplete Complete

Managing Evolution

Almost Zero Low Almost Complete

Low High High

Effort

Coverage

Comprehensibility

Definition


Conclusions

• Tool-supported, URN-oriented framework to help document and maintain compliance between business processes and laws– New inter-model and inter-document links– Less effort and better coverage than other approaches when

responding to change

• Some evaluation and validation done via a healthcare case study, with promising results so far

• S. Ghanavati’s thesis contains more examples and analysis results


Issues and Future Work

• Incomplete and expensive guidelines for creating URN models – Need to model more situations– Need to reduce the effort to model

• Explore existing goal mining/extraction techniques– Involve lawyers (legislation model) validation and rules

• Limited case study (1 process, 1 law)– Need more laws, business processes, and domains

• Can a legislation GRL model be reused across organizations?• What if we have conflicting legal requirements?

– Usability study and scalability evaluation– More quantitative measure of effort to model and exploit the links

• Just how much do automated links help?• Ontology-based automatic linking?

• Need more independent assessment to avoid bias