A comprehensive privacy-aware authorization framework founded on HIPAA privacy rules

Health care entities publish privacy polices that are aligned with government regulations such as Health Insurance Portability and Accountability Act (HIPPA) and promise to use and disclose health data according to the stated policies. However actual practices may deliberately or unintentionally violate these policies. To ensure enforcement of such policies and ultimately HIPAA compliancy there is a need to develop an enforcement mechanism. In this paper we extend our work on IT-enforceable policies, submitted to the International Journal of Medical Informatics. The submitted work involved a detailed analysis of HIPPA privacy rules to extract object related conditions needed to make a disclosure decision. In this paper we extend this work to propose machine enforceable policies that embody HIPAA privacy disclosure rules and a health care entity access control rules. We also propose a comprehensive access/privacy control architecture that enforces the proposed polices. The architectural model is designed to allow for a dynamic configuration of policies without reconfiguring the architecture responsible for enforcement. Both the proposed policies and the architecture allow for multiple stakeholders to adjust the privacy preferences to manage the disclosure of data by adjusting the designated parameters in their respective policies. The objective of this study is to provide a comprehensive model for privacy protection, access and logging of PHI, that is HIPAA compliant.