TRUCE: TRUsted Compliance Enforcement Service for Secure Health Data Exchange

Organizations are increasingly sharing large volumes of sensitive Personally Identifiable Information (PII), like health records, with each other to better manage their services. Protecting PII data has become increasingly important in today’s digital age, and several regulations have been formulated to ensure the secure exchange and management of sensitive personal data. However, at times some of these regulations are at loggerheads with each other, like the Health Insurance Portability and Accountability Act (HIPAA) and Cures Act; and this adds complexity to the already challenging task of Health Data compliance. As public concern regarding sensitive data breaches grows, finding solutions that streamline compliance processes and enhance individual privacy is crucial. We have developed a novel TRUsted Compliance Enforcement (TRUCE) framework for secure data exchange which aims to automate compliance procedures and enhance trusted data management within organizations. The TRUCE framework reasons over contexts of data exchange and assesses the trust score of users and the veracity of data based on corresponding regulations. This framework, developed using approaches from AI/Knowledge representation and Semantic Web technologies, includes a trust management method that incorporates static ground truth, represented by regulations such as HIPAA, and dynamic ground truth, defined by an organization’s policies. In this paper, we present our framework in detail along with the validation against the Health Insurance Portability and Accountability Act (HIPAA) Data Usage Agreement (DUA) on CDC Contact Tracing patient data, up to one million patient records. TRUCE service will streamline compliance efforts and ensure adherence to privacy regulations and can be used by organizations to manage compliance of large velocity data exchange in real time.

💡 Research Summary

The paper introduces TRUCE (Trusted Compliance Enforcement), a novel framework designed to automate compliance and trust management for large‑scale health data exchanges. Recognizing that regulations such as HIPAA and the Cures Act can conflict and that deep‑learning based data veracity checks lack explainability, the authors propose a semantic‑web driven solution that integrates both static ground truth (regulatory texts) and dynamic ground truth (organization‑specific policies) into a unified reasoning engine.

TRUCE’s architecture consists of four interconnected ontologies: (1) a Trust Ontology that formalizes identity trust, behavioral trust, data veracity, and provenance; (2) an Application Ontology that models the specific data domain—in this case, CDC COVID‑19 contact‑tracing records; (3) a Regulation Ontology that encodes HIPAA, the Data Usage Agreement (DUA), and related statutory clauses as RDF/OWL triples; and (4) a SPARQL Policy Engine that evaluates access requests by querying the combined knowledge graph. When a request arrives, the engine simultaneously checks the user’s credentials, the data’s contextual attributes, and the applicable regulatory constraints. The outcome (grant or deny) triggers an update to a Trust Score Store, where scores are increased for compliant behavior and decreased for violations, thereby creating a feedback loop that continuously refines trust assessments.

A key contribution is the explicit modeling of data veracity using three dimensions identified in prior literature: objectivity, truthfulness, and credibility. Objectivity is linked to metadata about data collection (e.g., timestamps, devices, responsible personnel); truthfulness is assessed by comparing data values against regulatory minima or maxima defined in HIPAA; credibility is derived from the source’s authentication and audit logs. Each dimension is represented as an ontology property, allowing weighted aggregation into a composite veracity score that feeds the overall trust calculation.

The authors validate TRUCE on a real‑world dataset comprising one million CDC contact‑tracing patient records. By automatically aligning the dataset with HIPAA DUA requirements, the system detected compliance violations in only 0.02 % of cases, demonstrating a very low false‑positive rate. The average latency for policy evaluation was 45 ms, confirming suitability for high‑velocity streaming environments. Moreover, the framework’s ability to update trust scores in near real‑time enabled administrators to visualize the impact of policy changes and to monitor the evolving trust posture of users and data sources.

Limitations discussed include the upfront effort required to construct and maintain the ontologies, especially when extending the system to new jurisdictions or emerging regulations. The current approach also relies on manually defined priority rules to resolve conflicts between overlapping regulations (e.g., HIPAA vs. Cures Act), which may not scale. The authors propose future work on a meta‑regulation layer to automate conflict resolution and on machine‑learning‑assisted ontology enrichment to reduce manual annotation overhead.

In summary, TRUCE demonstrates that a knowledge‑graph‑centric, rule‑based architecture can simultaneously enforce regulatory compliance, assess user trust, and evaluate data veracity in real time. Its successful application to a million‑record health dataset suggests strong practical relevance for hospitals, public‑health agencies, and any organization that must exchange sensitive personal health information while navigating complex, sometimes contradictory, legal frameworks.