Privacy laws and regulations articulate many requirements at an abstract level. This can make it hard to turn requirements into system characteristics. This presentation addresses these challenges in the context of the healthcare environment.
Privacy Requirements Definition and Testing in the Healthcare Environment
Download Resources
PDF Accessibility
One or more of the PDF files on this page fall under E202.2 Legacy Exceptions and may not be completely accessible. You may request an accessible version of a PDF using the form on the Contact Us page.
Privacy laws and regulations articulate many privacy requirements at an abstract level. It can be challenging for system developers to translate these requirements into system and application characteristics. "Privacy testing" refers to specific system tests that are performed to ensure that privacy requirements are implemented correctly in systems. This is an important step to ensure that systems appropriately protect Personally Identifiable Information (PII). Privacy testing is especially vital for systems that process large amounts of Protected Health Information (PHI) to reduce the likelihood of errors in care and fraud, and reduce the overall cost of error in providing healthcare services. However, there has not yet been a broader effort to articulate privacy requirements at the system/application level and address using privacy testing to verify that basic privacy controls are implemented correctly within the healthcare environment.
This presentation presents ideas on how to engage with standards bodies to include healthcare-related privacy requirements and tests in standards and guidance documents used by the healthcare industry. One way to do this would be to revise the existing MITRE privacy risk management tool (PRIME) so that it can be used for privacy requirements definition and testing efforts in the healthcare environment.