Legal Requirements Metrics for Compliance Analysis

Laws and regulations safeguard citizens' security and privacy. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 1 governs the security and privacy of electronic health records (EHR) systems. The U.S. Department of Health and Human Services (HHS), which is charged with creating, maintaining, and enforcing regulations pursuant to HIPAA, has required systematic changes in institutional privacy practices as a result of nearly 15,000 resolved HIPAA investigations.2 HIPAA violations can result in serious monetary penalties. HHS recently fined one healthcare provider ;This dissertation examines how software engineers can evaluate software requirements for compliance with laws and regulations. The main objective of this work is to help software engineers perform a legal compliance analysis for software intended to be deployed in domains goverened by law by developing empirically validated: (a) techniques for determining which requirements are legally implementation ready (LIR);4 (b) metrics to estimate which requirements are LIR automatically; and (c) a prototype tool that supports identifying LIR requirements using legal requirements metrics.;My empirical studies suggest that the average graduate-level software engineer is illprepared to identify legally compliant software requirements with any confidence and that domain experts are an absolute necessity. When working together as a team graduate-level software engineers make extremely conservative legal implementation readiness decisions. Furthermore, we observe that the legal requirements metrics discussed in this dissertation can be used to improve legal implementation readiness decisions. These findings, along with legal and ethical concerns, make the study of legal compliance in software engineering a critical area for continued research.;1 Pub.L.No.104-191,110Stat.1936(1996). 2 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html. 3 http://www.hhs.gov/news/press/2011pres/02/20110222a.html. 4 Legally implementation ready requirements are requirements that have met or exceeded their obligations under relevant laws and regulations.