Title :
The role of data use agreements in specifying legally compliant software requirements
Author :
Schmidt, Jessica Young ; Antón, Annie I. ; Williams, Laurie ; Otto, Paul N.
Author_Institution :
Dept. of Comput. Sci., North Carolina State Univ., Raleigh, NC, USA
Abstract :
Security and privacy requirements are often not explicitly stated and are often not easy to elicit. In this paper, we discuss data use agreements (DUAs) as a source of security and privacy requirements that can be leveraged by requirements engineers. Within the healthcare domain, regulations created pursuant to the U.S. Health Insurance Portability and Accountability Act (HIPAA) specify that a DUA must exist for certain uses and disclosures of protected health information as a limited data set. For compliance reasons, it is important for requirements engineers to ask for and evaluate DUAs, as they are legally binding on the parties. We discuss HIPAA-governed DUAs and the information contained within them. Using four DUAs, we apply commitment, privilege, and right (CPR) analysis to identify legally compliant requirements. Through this work, we have identified contractual compliance requirements while also identifying compliance problems in relation to DUAs.
Keywords :
data privacy; formal specification; formal verification; security of data; systems analysis; HIPAA-governed DUA; U.S. health insurance portability; data use agreement; healthcare domain; legally compliant software requirement; privacy requirement; security requirement; Law; Medical services; Natural languages; Organizations; Privacy; Software; HIPAA; commitments; contractual compliance requirements; data use agreements; legal compliance; privileges; requirements; rights;
Conference_Titel :
Requirements Engineering and Law (RELAW), 2011 Fourth International Workshop on
Conference_Location :
Trento
Print_ISBN :
978-1-4577-0947-0
Electronic_ISBN :
978-1-4577-0947-0
DOI :
10.1109/RELAW.2011.6050266
