The ARBAC97 model for role-based administration of roles: preliminary description and outline
RBAC '97 Proceedings of the second ACM workshop on Role-based access control
A scenario-driven role engineering process for functional RBAC roles
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Purpose based access control of complex data for privacy protection
Proceedings of the tenth ACM symposium on Access control models and technologies
Privacy-aware role based access control
Proceedings of the 12th ACM symposium on Access control models and technologies
VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
A Purpose-Based Access Control Model
IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
Purpose based access control for privacy protection in relational database systems
The VLDB Journal — The International Journal on Very Large Data Bases
A role-based XACML administration and delegation profile and its enforcement architecture
Proceedings of the 2009 ACM workshop on Secure web services
A novel use of RBAC to protect privacy in distributed health care information systems
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Consistency checking in privacy-aware access control
Proceedings of the 51st ACM Southeast Conference
Hi-index | 0.00 |
Health care entities publish privacy polices that are aligned with government regulations such as Health Insurance Portability and Accountability Act (HIPPA) and promise to use and disclose health data according to the stated policies. However actual practices may deliberately or unintentionally violate these policies. To ensure enforcement of such policies and ultimately HIPAA compliancy there is a need to develop an enforcement mechanism. In this paper we extend our work on IT-enforceable policies, submitted to the International Journal of Medical Informatics. The submitted work involved a detailed analysis of HIPPA privacy rules to extract object related conditions needed to make a disclosure decision. In this paper we extend this work to propose machine enforceable policies that embody HIPAA privacy disclosure rules and a health care entity access control rules. We also propose a comprehensive access/privacy control architecture that enforces the proposed polices. The architectural model is designed to allow for a dynamic configuration of policies without reconfiguring the architecture responsible for enforcement. Both the proposed policies and the architecture allow for multiple stakeholders to adjust the privacy preferences to manage the disclosure of data by adjusting the designated parameters in their respective policies. The objective of this study is to provide a comprehensive model for privacy protection, access and logging of PHI, that is HIPAA compliant.