J. Software Engineering & Applications, 2009, 2: 67-76
doi:10.4236/jsea.2009.22011 Published Online July 2009 (www.SciRP.org/journal/jsea)
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations
Sabah Al-Fedaghi
Computer Engineering Department, Kuwait University, Kuwait City, Kuwait.
Email: sabah@eng.kuniv.edu.kw
Received February 2nd, 2009; revised April 14th, 2009; accepted April 15th, 2009.
Laws and policies impose many information handling requiremen ts on business practices. Comp liance with such regu-
lations requires identification of conflicting interpretations of regulatory conditions. Current software engineering
methods extract software requ irements by converting legal text into semiformal constraints and rules. In this paper we
complement these methods with a state-based model that includes all possibilities of information flow. We show that
such a model provides a fou ndation for the interpretation process.
Keywords: Software Requirement, Laws, Regulation, Privacy, Personal Identifiable Informa tion
1. Introduction
Laws, regulations, and policies such as the Health Insur-
ance Portability and Accountability Act (HIPAA) Pri-
vacy Rule and the Telecommunications Act of 1996 im-
pose many requirements on business practices for han-
dling information. In 2006, 161 billion gigabytes of
digital information were created, captured, and replicated
[1]. It is estimated “that today, 20% of the digital uni-
verse is subject to compliance rules and standards, and
about 30% is potentially subject to security applications”
[1]. In 2005, more than 20,000 regulations were passed
related to creation, storage, access, maintenance, and
retention of information [2].
Compliance with these laws, regulations, and policies
requires identification of conflicting interpretations of
regulatory requirements. The information system needs
to be aligned with legal and regulatory requirements in
order to be in compliance.
Statements of regulations in legal documents relevant
to information processing contain a great deal of natural
language ambiguity that makes it difficult to formalize
requirements and constraints in software systems. The
basic problem can be viewed as how to extract software
requirements from regulations.
Researchers have introduced different methods for
converting legal language into semiformal specifications;
nevertheless, the approaches to interpreting legal text
lack compatibility with the software-engineering style o f
problem solving. A need exists for an underlying infor-
mation-processing model of the different information
processing systems, similar to the classical communica-
tion model of sender, receiver, and message. Terms such
as “collecting,” “processing,” “disclosing,” and so forth
are used loosely, without a p attern tying th em tog ether as
actions based on information. We will demonstrate such
aspects in an example after introducing our model.
So, what is the software-engineering style of problem
solving that ought to be applied to interpretation of regu-
lations to meet software requirements? It involv es simply
constructing an information flow model, and taking into
account all possible types of actions utilized in process-
ing information. While it is not practical to take into ac-
count every possible interpretation, we propose a state-
based model that includes a limited number of possibili-
ties for software responses to all categories of informa-
tion handli n g.
2. Related Work
The software engineering field is rich with work related
to software requirements for domain and systems de-
scriptions. Methods have been proposed to extract re-
quirements from policies and regulations using formal
models [3], semantic parameterization [4], and ontology
[5]. Several publications deal with the problem of ex-
tracting goals from natural language documents and
Internet privacy policies [6,7]. Breaux and Antón [4,8]
developed a method to trace the words in regulations to
semantic primitives. Giorgini et al. [9] described a
framework that enables modeling of actors and goals and
their relationships. May et al. [3] introduced a method-
ology to extract formal models from regulations and ap-
plied it to the HIPAA Privacy Rule.
Interpretation of Information Processing Regulations
Figure 1. Information states in FM with the possibility of triggering another type of flow
We will concentrate on the recent methodology of
Breaux and Antón [10] “to extract access rights and ob-
ligations directly from regulation texts . . . [and] present
results from applying this methodology to the entire
regulation text of the U.S. Health Insurance Portability
and Accountability Act (HIPAA) Privacy Rule.” In our
case, we will discuss a very limited portion of such a
commendable venture .
Information processing models have evolved from the
classic 1949 Shannon-Weaver communication theory of
transference of electrical signals from sender to receiver.
Nevertheless, the main aspect of Shannon and Weaver’s
model is communication, while information appears as a
secondary component of the model. The “transmitted
materials” in this communication can be information,
data, meaningless signals, energy, or, with proper per-
spective, other entities.
We are interested more in information properties than
in the communication act itself. Such an approach con-
centrates solely on information, while communication
aspects (as important as they are) become secondary fea-
tures of the flow of information. This paper introduces an
information flow model that includes five stages: collec-
tion, processing, creation, disclosure, and communica-
tion. Such a model provides a better framework on which
to base interpretation of information handling processes.
3. Model of Information Flow
The flow model (FM) has been proposed and used in
several applications. In FM, the flow of flowThings in-
dicates movement inside and between spheres. The
sphere is the environment of the flow and includes five
stages that may be sub-spheres, each with its own
five-stage schema. The stages may be named differently;
for example, in an information sphere, a stage may be
called communication, while in action flow, the same
stage is called transferring.
To illustrate the notion of flowThing, we will assume
that the “thing that flows” is information. We use the
term information to refer to information and misinforma-
tion, as in common usage where a reporting statement
can be true or false. An information sphere denotes the
information environment. The lifecycle of information is
a sequence of states in its lifecycle, as follows: 1) Re-
ceived, 2) Processed (in a way that changes its form, but
not content), 3) Released, 4) Communicated (to another
sphere), and 5) Created (i.e., a new piece of information).
These five states of information form the main stages of
the stream of flow, as illustrated in Figure 1. Each stage
may include sub-stages, such as storage and usage.
The states shown in Figure 1 are exclusive in the sense
that if information is in one state, then it is not in any of
the other four states. Consider a piece of information, ,
possessed by a hospital; is thus in one of the following
1) has just been collected from some source (patient,
friend, sent by some agency) and stored in the hospital
record, waiting to be used. It is collected (row) informa-
tion that has not yet been processed by the hospital.
2) has been processed in some way, converted to
another form (e.g., digital), translated, compressed, etc.
Also, it may be stored in the hospital information system
as processed data waiting for some use.
3) has actually been created in the hospital as the
result of doctor’s diagnoses, lab tests, etc. Thus, is in
the possession of the hospital as created data to be used.
4) is being released from the hospital infosphere. It
is designated disclosed information ready for transfer.
Analogous to a factory environment, represents materi-
als ready to be shipped outside the factory. It may actu-
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations 69
ally be stored for some period waiting to be transported;
nevertheless, its designation as “for export” keeps it in
such a state.
5) is in a transfer state, being transferred between
two infospheres. It has left the disclosure state and will
enter the collection state, where it will become collected
information in the new infosphere.
It is not possible for processed information to directly
become collected information in the same infosphere.
Processed information can become collected information
in another infosphere by first becoming disclosed infor-
mation, and then transferred information, in order to ar-
rive at the other environment.
We use this model, called the information flow model
(IFM), to classify information in generic theoretical
categories that can be applied in any infosphere, includ-
ing laws and regulations. According to Kurt Lewin,
“There is nothing quite as practical as a good theory.”
Consider the following extract from the Safety Offi-
cer’s Briefing Book of the United States Air Force Aux-
iliary [11]:
Water vapor is an invisible gas, similar to nitrogen
and oxygen, the two gases which make up 98% of our
atmosphere. We see clouds and fog when the gaseous
water vapor is cooled sufficiently to allow a change of
state from gas to liquid. We see snow, sleet, and hail
when the liquid water is further cooled to a solid state.
And when water changes directly from gas to solid it
becomes frost, through a process called “sublimation.”
[Italics added.]
Imagine this to be a statement of regulations with no
model of water circulation among its states of liquid
(water), gas (vapor, fog), and solid (ice). We could
probably manage to write safety regulations using terms
such as “clouds” and “frost,” as in the following rewrite
of the previous quote:
Water is an invisible material, similar to nitrogen and
oxygen, the two gases which make up 98% of our at-
mosphere. We see clouds and fog when the water is
cooled sufficiently. We see snow, sleet, and hail when
the water is further cooled. And when water changes, it
becomes frost, through a process called “sublimation.”
A great deal of conceptual clarity is lost without
specification of the three natural states of water in a
model of its circulation among those states. Similarly,
information handling regulations not based on the infor-
mation flow model are simply vague descriptions of the
proper way to handle information.
As another example, consider applying the IFM to
HIPAA Privacy Rule [12]. According to the Privacy
Rule, “A covered entity may use or disclose, without an
individual’s authorization, the psychotherapy notes . . .”
[13]. We show that, in the context of IFM, use and dis-
close may be interpreted in several ways.
Psychotherapy notes are defined in the Rule as:
. . . notes recorded (in any medium) by a health care
provider who is a mental health professional document-
ing or analyzing . . . that are separated from the rest of
the individual’s medical record. Psychotherapy notes
exclude medication prescription and monitoring, coun-
seling session start and stop times, the modalities and
frequencies of treatment furnished, results of clinical
tests, and any summary o f the following items: diag nosis,
functional status, the treatment plan, symptoms, progno-
sis, and progress to date.
A psychotherapist collects information from four
1) The original medical record
2) Information created by the psychotherapist during a
3) New information revealed by the patient during a
4) Created information related to the session (e.g.,
start and stop times: Johns session is at 4 pm, John ar-
rived late for the session).
These clear categorizations of information can be sup-
plemented with the type of descriptions given by the rule
(e.g., summary of this type or that type). Each category
may require different constraints on its use and disclo-
sure. For example, releasing information of type (2) may
need the approval of the psychotherapist who wrote it,
while the decision to release information of category (1)
has nothing to do with the psychotherapist.
The point here is that the IFM allows more refined in-
terpretation of natural language description involving
operations on different types of information, such as dis-
closure. The example above includes at least three types
of disclosures: disclosure of collected information, dis-
closure of created information, and disclosure of proc-
essed information. Each type may need different disclo-
sure constraints [14].
4. Personal Identifying Information
This paper focuses on the HIPAA Privacy Rule; for that
purpose we regard personal identifiable information (PII)
as the main type of information and object of study [12].
The “circulation of PII” can be modeled in IFM as in-
formation f lo w.
It is typically claimed that what makes data “private”
or “personal” is either specific legislation (e.g., a com-
pany must not disclose information about its employees)
or individual agreements (e.g., a customer has agreed to
an electronic retailer's privacy policy); however, this line
of thought blurs the difference between personal identi-
fiable information and other “private” or “personal” in-
formation. Personal identifiable information has an “ob-
jective” definition in the sense that it is independent of
such authorities as legislation or agreement.
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations
Copyright © 2009 SciRes JSEA
4.1 Definition of Personal Identifiable
In the information sphere, information is classified as per-
sonal identifiable information (PII) and non-identifiable
information (NII). Personal identifiable information is
information about singly identifiable persons, called
proprietors. PII is information that has referents who ar e
natural persons. Two types of PII can be identified:
1) Atomic personal information, where the information
refers to a single proprietor, e.g., John is 25 years old.
“Referent” here implies an identifiable (natural) person.
2) Compound personal information, where the infor-
mation refers to more than one proprietor, e.g., Mary
donated her kidney to Alice.
Any compound PII is privacy reducible to a set of
atomic PIIs [12].
4.2 Elaborated IFM Model for PII
“Handling information” involves observing the progress
of information from its arrival at the infosphere through
the various information stages until it ex its, or disap pears
from, the “information circulation system.” “Pieces of
information” circulating in the IFM (Figure 2) are envi-
sioned here as “informational objects” that have an exis-
tence within the information realm. This type of infor-
mation, the so-called “meme,” is “a hypothetical unit of
cultural transmission conceived not as an inert object but
as a quasi-organic entity endowed with the capacity of
self-replication” [4].
The flow model makes a piece of information visible
as soon as it enters the circulation system of IFM. In
most cases, the piece of information then moves repeat-
edly among the stages of the model. IFM includes types
of acts on information (labelled 1 through 14 in Figure 2)
that transform information from on e stage or sub-stag e to
Creation stage: In Figure 2, the creation stage in-
cludes two attached sub-stages: Storage and Actions.
New information is created (e.g., data mining generates
new information). The created information is utilized in
some way (called sub-stage actions in Figure 2; e.g., de-
cision making), stored, or immediately moved on to the
Figure 2. The Information Flow Model (IFM)
Interpretation of Information Processing Regulations 71
stages of processing or departure (disclosure and trans-
fer). In IFM, “action” refers to any utilization of infor-
For example, suppose a physician makes a new diag-
nosis of a disease (creates new information), such as
John Smith has AIDS. Such new information may be
generated by examining (mining) some data. John Smith
has AIDS is then communicated to an expert (disclosed
and transferred), or processed further (cycled through
processing-mining-creation-processing) to verify the
medical judgment. The physician creates (act 9) new
information and also uses the information in the pa tient’s
file for “treatment” (physical action). Another example
of uses in this context is “home delivery of medicin e to a
patient” (physical action) that uses the address informa-
Collection stage: The collection stage is the informa-
tion acquisition stage, when information is accepted from
external suppliers and fed into the IFM circulation sys-
tem. This stage includes the possibility of using the ar-
riving (raw) information; the sub-stage, Actions, in IFM
is therefore a way for information to exit the system (i.e.,
arriving information generates the action of physical
treatment, without further propagation in IFM). It also
includes the possibility of storing the collected informa-
Processing stage: The processing stage involves act-
ing on information (e.g., anonymization, data mining,
summarizing). Processing is performed on acquired in-
formation from the collection stage or the creation stage;
see Figure 2. In actual processing, information is modi-
fied in form or content.
IFM distinguishes between two types of processing:
ordinary processing, which does not produce new or in-
ferred information, and creation of new information (e.g.,
by mining). An example of creation of new information
is the categorization of diverse information used to reach
a decision, e.g., John is a risk. Other types of processing
that do not generate new information, but only change
the appearance of information, include comparing, com-
pressing, translating, and deleting.
Disclosure and transfer/communication stages: The
disclosure stage involves releasing information to those
outside the infosphere. It relies on the transfer stage to
carry information from the current infosphere to the col-
lection stage in another infosphere. When information is
in the transfer state, it is flowing (e.g., through a channel)
between two infospheres.
5. Application to Extraction Constraints
Healthcare regulations, such as HIPAA, are often diffi-
cult to grasp and interpret. Interpretation of HIPAA
regulations is of utmost importance because of the costs
associated with any misinterpretation. According to the
U.S. Department of Health and Human Services., the
healthcare industry will spend $17 .6 billion ov er the next
few years to bring their systems and procedures into
compliance with HIPAA [15].
Consequen tly, we limit this paper to applying the IFM
model to the problem of extracting software require-
ments from HIPPA regulations; however, this focus does
not mean the model cannot be applied to any other area
with information-handling regulations. Additionally, our
treatment is obviously incomplete in the sense that it is
not a rewriting of the entire regulation, since it aims
mainly to present a general methodo logy for interpreting
informational privacy regulations.
We will concentrate specifically on methodology re-
cently introduced by Breaux and Antón [10] for extract-
ing access rights and obligations directly from the text of
regulations. According to Breaux and Antón [10],
“‘rules’ are often precursors to software requirements
that must undergo considerable refinement and analysis
before they are implementable.” Breaux and Antón [10]
then present “a methodology to extract access rights and
obligations directly from regulation texts . . . to support
the software engineering effort to derive security re-
quirements from regulations.” The methodology will
then “identify and infer six types of data access con-
straints, handle complex cross-references, resolve ambi-
guities, and assign required priorities between access
rights and obligations to avoid unlawful information dis-
The following excerpt from Privacy Rule §164.510
(b)(1)(i) will be used to illustrate use of IFM to develop a
complete picture of situation s specified by the Rule.
A CE [Covered Entity] ma y, in accordance with pa ra-
graphs (b)(2) or (3) of this section, disclose to a family
member, other relative, or a close personal friend of the
individual, or any other person identified by the individ-
ual, the PHI [Protected Health Information] directly
relevant to such persons involvement with the individ-
ual’s care or payment related to the individuals health-
We discuss some of the constraints extracted by
Breaux and Antón [10] to exemplify ambiguities uncov-
ered by the definitions of PII and IFM.
Constraint 1: The PHI is directly relevant to the per-
son’s involvement in the individual’s care.
Comments: We should explicitly declare whether the
atomic PII is collected PII, processed PII, or created PII.
For example, the proprietor may agree to release his or
her telephone number (collected information), but not the
results of his or her lab examination (created PII), or his
or her doctor’s diagnosis (created PII).
Notice that the point here is not constraints on the
scope of information (e.g., address and phone number); it
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations
is, rather, the right of the proprietor to be presented with
all alternative actions to which he or she can consent,
and the obligations of the stakeholder to provide the pro-
prietor with complete information for making informed
consent. The choices here are as follows:
- Disclosing only PII collected by the stakeholder from
other sources
- Disclosing PII processed by the stakeholder, such as
implied PII, translated PII, anonymized PII, etc.
- Disclosing created PII by the stakeholder, such as lab
results, doctors’ diagnoses, etc.
These actions deal with categories of PII and not spe-
cific PIIs; thus, it is practical to list this small number of
categories of which the proprietor approves disclosure.
Such classification of PII is also suitable for software
design and implementation in a decision-making system.
In general, the Privacy Rule permits uses and disclo-
sures for “treatment, payment and health care opera-
tions,” as well as certain other disclosures, without the
individual’s prior written authorization. What we pro-
pose is that such permission be categorized by the sys-
tem according to the type of PII, for example,
- Collected PII uses and disclosures for “treatment,
payment and health care operations” has a different ac-
cess policy than
- Created PII uses and disclosures for “treatment, pay-
ment and health care operations.”
For example, “uses and disclosures” of created PII
may need the approv al of its creator (e.g., the physician).
Constraint 2: PHI is directly relevant to the person’s
involvement in payment related to that person’s health-
Comment: PII “directly relevant to the person’s in-
volvement in payment related to the individual’s health-
care” may also be collected PII, processed PII, or created
PII. For example, disclosing such information may not
include a hospital’s own evaluation of the proprietor’s
financial reliability. It is similar to releasing “information
I have” (collected PII), but not “information I have in-
ferred” (created PII).
Constraint 3: The use is to carry out treatment, pay-
ment, or healt hcare operations.
Comments: The “uses” of collected PII, processed PII,
and created PII are different. In particular, created in-
formation carries different types of responsibilities from
those of collected PII that is then disclosed. The disclo-
sure that (According to our diagnoses) John Smith is an
AIDS patient (collected PII) has a different weight than
the disclosure that John Smith is an ABC employee (col-
lected PII) even though both disclosures are for the same
We conclude that IFM can enhance such a methodol-
ogy for extracting constraints from regulation texts. IFM
simply reveals all paths of information circulation; thus,
we can take into account all possible interpretations in
the text. Next, we apply IFM to the process called “se-
mantic parameterization,” proposed by Breaux and
Antón [10].
6. Enhanced Semantic Parameterization
According to Breaux and Antón [10], semantic parame-
terization is a process to “support engineers who map
natural language domain descriptions to models ex-
pressed in first-order predicate logic for the purpose of
performing automated reasoning and analysis” [16]. It
1) A reference system that systematically detects and
resolves such ambiguities.
2) Automated support for placing natural language-li-
ke inquiries across collections of requirements that an-
swer who, what, where, when , how, and why questions.
3) A means to formalize and compare different stake-
holder viewpoints.
Breaux and Antón [10] consider the following “prop-
erties” of information to be access–related activities:
a) The subject is the actor who performs an action on
an object in the activity. In the IFM, the subject is one of
the entities that acts on PII.
b) The action is the verb that affects information, such
as access, use, disclose, etc. The IFM limits the number
of acts on PII that can be applied here.
c) The modality modifies the action by denoting the
action as a right, obligation, or refrainment. Such a “mo-
dality” can be added after the backbone of the informa-
tion handli ng processes is de signed, as described next .
d) The object is limited to information, including the
name or date of birth of a patient, or an accounting of
disclosures. In IFM, information is limited to PII and
includes all acts and uses of information defined by the
model in Figure 2.
e) The target is the recipient in a transaction, such as
the recipient of a disclosure. The target in IFM is one of
the agents in PII transactions. There may be several
agents, as illustrated in Figure 3. It is also possible that
both sides of the transaction belong to the same organi-
In the IFM, we can identify all entities that may be in-
volved in handling PII in order to accomplish the same
thing that Breaux and Antón [10] extract from legal
wording. IFM gives a complete picture that includes all
entities and processes needed to produce a design descrip-
tion of the software, and no more. For example, a policy
for access-related activities can be specified according to
the type of entity (e.g., a collector—a clerk who fills pa-
tient data cannot access processed information).
Thus, the software engineer can design a system that
takes into consideration all cases of information flow.
The entities that may be involved in handling PII are
several, including proprietor, possessor, collector, proc-
essor, different types of users, different types of store-
keepers, (data) miner, creator, releaser, and transferor.
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations
Copyright © 2009 SciRes JSEA
Figure 3. PII flow involving a proprietor and two agents
Consider the following example from Breaux and
Antón [10]:
Excerpt from Privacy Rule §164.522(a)(1):
(i) A CE must permit an individual to request that the CE
(A) Uses or disclosures of PHI about the individual to
carry out treatment, payment or healthcare opera-
tions; and
(B) Disclosures permitted under §164.510(b)
(ii) A CE is not required to agree to a restriction.
(iii) A CE that agrees to a restriction under paragraph
(a)(1)(i) of this section may not use or disclose PHI in
violation of such restriction, except that, if the individual
who requested the restriction is in and the restricted PHI
is needed to provide emergency treatment, the CE may
use the restricted PHI, or may disclose such informatio n
to a HCP, to provide such treatment to the individual.
Applying the Breaux and Antón [10] method to this
excerpt yields constraints and rules, some of which are as
- The use is to carry out treatment, payment, or health-
care operations.
- The disclosure is to carry out treatment, payment, or
healthcare operations.
- The CE agrees to a restriction.
- The individual requested the restriction.
- The individual is in need of emergency treatment.
- The PHI is needed to provide emergency treatment.
- A CE must permit an individual to request a restric-
- A CE is not required to agree to a restriction.
A software engineer then applies pa tterns to identify
rights, obligations, and constraints. For example, “the
basic activity pattern describes a subject who performs
an action on an object and modality distinguishes the
activity as a right, obligation or refrainment. Each rule
uses these two patterns to ensure that the statement has
precisely one subject, action, obj ect and modality” [10].
The IFM introduces an intermediate stage of analysis
that provides a foundation for the legal text. The excerpt
from Privacy Rule §164.522(a)(1) specifies relationships
between a CE and a proprietor: use and disclosure, as
described next.
6.1 The Use Relationship
Figure 4 shows the Use relationship embedded in the
excerpt. The CE is a possessor of PII about the propr ietor.
The CE may be a collector, processor, creator, store-
keeper, or (data) miner of this PII, or all or some of these
roles. In all cases, the relationship between the CE and
proprietor leads to some use (actions in IFM). The uses
are of two types:
- Use to “carry out treatment, payment, or healthcare
- Use for “need of emergency treatment” (dotted lines
in Figure 4).
The software engineer can represent all possible cases
in this situation. Thus, he or she can put constraints and
rules on the use of PII generated by the CE that are dif-
ferent from constraints and rules on use of PII collected
from outsiders, including the proprietor him/herself. If PII,
e.g., a bank account number, is given by the proprietor,
then obviously there are no restrictions on the use of such
PII to “carry out payment.” It would make no sense for a
patient to give his or her bank account number and then
request restrictions on CE use of such information to
“carry out payment;” therefore, the software engineer can
design a system such that it traces the source of PII, hence
focusing the rules accordingly. The IFM magnifies all
types of relationships between entities such that ambigu-
ty in the legal text can be easily spotted. i
Interpretation of Information Processing Regulations
Figure 4. A relationship between a proprietor and CE involving uses of PII
Figure 5. Relationship between proprietor and a situation involving CE disclosure of PII
6.2 The Disclosure Relationship
Now consider the disclosure relationship between the CE
and the proprietor embedded in Privacy Rule excerpt
§164.522(a)(1) given previously. The first question that
comes in mind is, what type of PII is disclosed? Is it col-
lected, processed, or created PII by the CE? Privacy Rule
§164.522(a)(1) lumps these types together.
Since the CE is the party who discloses PII, then the
user is the party who receives this information from the
CE. Thus, the relationship involves three entities: the CE,
the proprietor, and the receiver of PII, who uses it to
“carry out treatment, payment or healthcare operations”
and “disclosures permitted under §164.510(b).” Figure 5
represents this relationship.
Figure 5 depicts a proprietor (wide arrow) in a situa-
tion that includes the CE disclosing PII to a collecting
agent, who uses it to “carry out treatment, payment or
healthcare operations” and “disclosures permitted under
§164.510(b).” Figure 6 represents the disclosure condi-
tion as described by the Privacy Rule. In comparison with
Figure 5, the Privacy Rule is very brief and thus may
create ambiguity in disclosure possibilities.
6.3 Assigning Roles to Users
Previous sections demonstrate that the Privacy Rule’s
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations 75
Figure 6. The Privacy Rule is very brief in describing the disclosure condition in comparison with the IFM
Figure 7. Laboratory as a user of PII
brevity hides types of uses and disclosures that may re-
quire different constraints and access rules. The notion of
purpose that Breaux and Antón [10] use to indicate the
goal of an activity remains to be discussed. In
Role-Based Access Control (RBAC) systems [17],
stakeholders (users) are permitted or denied access to
information based on their roles. Roles are assigned to
users, whereas purposes (we call them “uses”) are as-
signed to data. In IFM, instead of a mapping between
roles and purposes, a su b-grap h of IFM is assigned to the
users. For example, Figu re 7 shows a sub-graph assigned
to the laboratory as a user of PII in the hospital system.
The hospital system discloses PII to the lab as part of a
request for specimen testing. The lab possesses PII from
two sources: collected PII from the hospital system, and
cre a t e d PII in th e l a b i t s e l f (the top two boxes in Figure 7).
This PII is processed; mined and final conclusions are
generated, then disclosed back to the hospital syste m.
The whole sub-graph (which probably also includes
“Storage” sub-stages) represents the role of the lab. The
sub-graph replaces the purpose, “resting specimen in
laboratory.” Access permission/denial of lab workers is
decided according to their IFM (sub-graph). It is possible
that inside the lab’s IFM, several IFMs exist for the su-
perintendent of the lab, lab technician, etc.
In such a system, where the infospheres of different
PII possessors and users are very clear, it is possible to
implement disclosure and access requirements in the
fullest detail within a framework that can be understood
even by laymen. The proprietor can request restrictions
on disclosers to inside or outside handlers of PII in the
possession of the CE. The software engineer can design
the PII flow diagram as the network engineer draws the
communication network. The drawing can be comple-
Copyright © 2009 SciRes JSEA
Interpretation of Information Processing Regulations
mented with al l t y pes of requi rements at di fferent poi nt s of
PII flow. Complacence level can be claim ed accordi ngly.
7. Conclusions
In this paper we have proposed complementing current
software engineering methods to extract requirements
from legal text, with a model that includes all possibili-
ties of information flow. We have shown through exam-
ples that such a model provides a foundation for the in-
terpretation process. The IFM is very general, such that it
can be applied in all kinds of work in this area. We have
concentrated on the analysis of Breaux and Antón [10] in
order to reach some depth in illustrating the application
of the IFM.
A great deal of work is needed to integrate the IFM
into a workable product that generates the software re-
quirement. The most productive approach is to incorpo-
rate the model into an existing methodology, rather than
developing an IFM-based scheme from scratch. On the
other hand, as a future work, theoretical analysis can be
developed for the methodology to formally characterize
its features.
[1] D. Reinsel, C. Chute, W. Schlichting, J. McArthur, I.
Xheneti, A. Toncheva, and A. Manfrediz, “A for- ecast of
worldwide information growth through 2010.” An IDC
White Paper, 2007. http://www.emc.com/about/destina-
[2] Nexsan Technologies Inc, White paper on enabling in-
formation lifecycle management, 2005. http://www.me-
[3] M. J. May, C. A. Gunter, and I. Lee, “Privacy APIs: Ac-
cess control techniques to analyze and verify legal pri-
vacy policies,” 19th IEEE Workshop Computer Security
Foundations, pp. 85-97, 2006.
[4] T. D. Breaux and A. I. Antón, “Deriving semantic models
from privacy policies,” 6th IEEE International Workshop
on Policies for Distributed Systems and Networks, pp.
67-76, 2005.
[5] S-W. Lee, R. Gandhi, D. Muthurajan, D. Yavagal, and G-
J. Ahn, “Building problem domain ontology from secu-
rity requirements in regulatory documents,” International
Workshop on Software Engineering for Secure Systems,
Shanghai, China, pp. 43-50, 2006.
[6] A. I. Antón, J. B. Earp, Q. He, W. Stufflebeam, D. Bol-
chini, and C. Jensen, “Financial privacy policies and the
need for standardization,” IEEE Security and Privacy,
Vol. 2, No. 2, pp. 36-45, 2004.
[7] A. I. Antón, “Goal-based requirements analysis,” 2nd
IEEE International Conference on Requirements Engi-
neering, pp. 136-144, 1996.
[8] T. D. Breaux and A. I. Antón, “Analyzing goal semantics
for rights, permissions and obligations,” 13th IEEE In-
ternational Conference on Requirements Engineering, pp.
177-186, 2005.
[9] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone,
“Modeling security requirements through ownership,
permission and delegation,” 13th IEEE International
Conference on Requirements Engineering, pp. 167-176,
[10] T. Breaux and A. I. Antón, “Analyzing regulatory rules
for privacy and security requirements,” IEEE Transac-
tions on Software Engineering, Vol. 34, No. 1, pp. 5-20,
January 2008.
[11] D. Tindal, “Safety officer’s briefing book,” Civil Air
Patrol, United States Air Force Auxiliary, February 1
2000. http://www.iawg.cap.gov/archives/ iawgsafety-
[12] S. Al-Fedaghi, “Scrutinizing the rule: Privacy realization
in HIPAA,” International Journal of Healthcare Informa-
tion Systems and Informatics (IJHISI), Vol. 3, No. 2, 2008.
[13] HHS, “Summary of the HIPAA privacy rule,” U.S. De-
partment of Health & Human Services, 2003. http://www.
[14] S. Al-Fedaghi, “Software engineering interpretation of
information processing regulations”, IEEE 32nd Annual
International Computer Software and Applications Con-
ference (IEEE COMPSAC 2008), Turku, Finland, July
28–August 1, 2008.
[15] Office for Civil Rights, US Department of Health and
Human Services, “Medical privacy: National standards to
protect the privacy of personal health information,” 2000
[16] T. D. Breaux and A. I. Antón, “Semantic parameteriza-
tion: A conceptual modeling process for domain descrip-
tions,” North Carolina State University Computer Sci-
ence Technical Report TR-2006-35, October 2006.
[17] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E.
Youman, “Role-based access control models,” IEEE
Computer, Vol. 29, No. 2, pp. 38-47, 1996.
Copyright © 2009 SciRes JSEA