TRUCE: TRUsted Compliance Enforcement Service for Secure Health Data Exchange
Dae-young Kim, Karuna Pande Joshi
TL;DR
The paper presents TRUCE, a trust- and veracity-aware framework for secure health data exchange under HIPAA and DUA constraints. It integrates static regulatory ground truth with dynamic organizational policies through ontologies and a Trusted Middleware that computes and enforces trust and veracity scores in real time. SPARQL policy reasoning over a knowledge graph enables data-access decisions, and validation on CDC Contact Tracing data up to one million records demonstrates favorable time complexity properties. By extending prior work with veracity and DUA ontologies, the framework supports regulated, explainable data sharing while acknowledging current limitations and outlining avenues for broader policy coverage and game-theoretic enhancements.
Abstract
Organizations are increasingly sharing large volumes of sensitive Personally Identifiable Information (PII), like health records, with each other to better manage their services. Protecting PII data has become increasingly important in today's digital age, and several regulations have been formulated to ensure the secure exchange and management of sensitive personal data. However, at times some of these regulations are at loggerheads with each other, like the Health Insurance Portability and Accountability Act (HIPAA) and Cures Act; and this adds complexity to the already challenging task of Health Data compliance. As public concern regarding sensitive data breaches grows, finding solutions that streamline compliance processes and enhance individual privacy is crucial. We have developed a novel TRUsted Compliance Enforcement (TRUCE) framework for secure data exchange which aims to automate compliance procedures and enhance trusted data management within organizations. The TRUCE framework reasons over contexts of data exchange and assesses the trust score of users and the veracity of data based on corresponding regulations. This framework, developed using approaches from AI/Knowledge representation and Semantic Web technologies, includes a trust management method that incorporates static ground truth, represented by regulations such as HIPAA, and dynamic ground truth, defined by an organization's policies. In this paper, we present our framework in detail along with the validation against the Health Insurance Portability and Accountability Act (HIPAA) Data Usage Agreement (DUA) on CDC Contact Tracing patient data, up to one million patient records. TRUCE service will streamline compliance efforts and ensure adherence to privacy regulations and can be used by organizations to manage compliance of large velocity data exchange in real time.