Health Insurance Portability and Accountability Act (HIPPA) Compliant Access Control Model for Web Services

Abstract

Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of rules to be followed by health plans, doctors, hospitals, and other healthcare providers in the U.S. HIPAA privacy rules create national standards to protect individuals’ health information. Recently, there have been increasing demands and discussions about Web services-based healthcare applications. It is, therefore, necessary for HIPAA privacy rules to be standardized in Web services. However, so far no comprehensive solutions to the various privacy issues have been defined in this area. This paper summarizes the HIPAA privacy rules and surveys the topic of protecting health data privacy under the HIPAA. We propose a vocabulary-based Web services privacy framework with Role-based Access Control (RBAC) with privacy extensions and argue the HIPAA compliance for such framework. For illustration, we present the first two HIPAA rules in the extended RBAC model and embed into the HIPAA-compliant technical architecture for implementation of Web services.