Scenario 9

Core Facts:

Details of the scenario (and links to related rules, transaction logs, and data files).

Scenario Options:

Goal: We are trying to build scenarios that have complex points of failure. We are looking for a scenario in which

a) It is not possible to avoid the failure by telling a single person or group, "Don't do x again."

b) The rule violation cannot be caught simply by stoping a single transfer or group of transfers. The rules we're looking to enforce are of the form: even though actor A is entitled to have access to data D, it is not permissible to use D for purpose P.

Our optimal scenario will require computation and analysis to determine that an appropriate rule has not been followed, resulting in an adverse consequence to someone. We have identified three classes of scenarios that might be appropriate and described them below. It is worthy of note that, based upon last year's work, we believe we know how to build the computations for the first two classes, but that the third class would require new discoveries.

Adverse Consequences: In almost all of the proposed scenarios, if a non-permitted distribution of information occurred, the adverse consequence could be the loss of apartment, employment, health insurance, or other economic benefit based upon the perception of heightened risk to self or direct threat to the health of others. In some scenarios, if the failure to distribute information occurred, there may be the adverse consequence of failure to timely diagnose, leading to permanent disability or death.

A. Conflicting Rules

We can create a variety of scenarios in which the hospital or other health care providers are requested to provide information to the CDC and make the wrong decision by following the wrong privacy law. The regulations created to implement the Health Insurance Portability and Accountability Act (HIPAA) provide the reasoning to apply when a state law conflicts with the HIPAA Privacy Rule. For example,

B. Data Category Transformation

We can create scenarios in which data begins as one data category but becomes a different data category based upon circumstances. This creates challenges when different rules apply to the different categories.

C. Leakage

We can envision scenarios in which information was not transferred but can be inferred from circumstances. When the inference occurs, how will it be recognized and the appropriate controlling rules attached?


Relevant policies


maintained by K. Krasnow Waterman and Lalana Kagal.
$Revision: 3260 $ of $Date: 2007-06-27$