Logical Specification of the GLBA and HIPAA Privacy Laws

Abstract

Despite the wide array of frameworks proposed for the formal specification and analysis of privacy laws, there has been comparatively little work on expressing large fragments of actual privacy laws in these frameworks. We attempt to bridge this gap by presenting what we believe to be the most complete logical formalizations of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) to date. Specifically, we formalize xx6802 and 6803 of GLBA and xx164.502, 164.506, 164.508, 164.510 164.512, 164.514, and 164.524 of HIPAA. The remaining sections of both laws are not stated in terms of operational requirements, and therefore cannot be formalized in our model. Along the way, we also give a novel extension of an existing privacy logic with real-time features and xed point operators; these provide the expressive power necessary to capture legal clauses found in GLBA and HIPAA involving bounded-time obligations and reuse of information.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 29, 2010
Accession Number
ADA571991

Entities

People

  • Anupam Datta
  • Deepak Garg
  • Dilsun Kırlı Kaynar
  • Henry Deyoung

Organizations

  • Carnegie Mellon University

Tags

DTIC Thesaurus Topics

  • Commerce
  • Cybersecurity
  • Domestic Violence
  • Electronic Commerce
  • Electronic Mail
  • Families (Human)
  • Health Care
  • Health Services
  • Institutional Review Board
  • Law
  • Medical Personnel
  • Military Personnel
  • National Security
  • Network Protocols
  • Personnel Management
  • Public Health
  • Standards

Fields of Study

  • Computer science

Readers

  • Computational Linguistics
  • Government and Public Administration Law.