Toward a Privacy Preserving HIPAA-compliant Access Control Model for Web Services

Most of the modern health-related information is collected, maintained, and accessed through computerized systems. However, the interaction with this information needs to comply with the U.S. federal regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Due to the complexity of healthcare regulations, it's not easy to deploy a complaint system, especially for heterogeneous systems designed to allow data transfer and communication. Web services can be used to solve the problem of incompatible systems intercommunication; however, a generic model for HIPAA enforcement is required. In this paper we propose a generic HIPAA complaint privacy access control model for web services that can be easily applied to any existing covered entity web services.