Health Insurance Portability and Accountability Act (HIPPA) Compliant Access Control Model for Web Services

International Journal of Healthcare Information Systems and Informatics (IJHISI)

Volumn 1, Issue 1, 2006, Pages 22-39

  Cheng, Vivying S Y ^a   Hung, Patrick C K ^b  

^a HONG KONG UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Hong Kong)

^b UNIVERSITY OF ONTARIO INSTITUTE OF TECHNOLOGY   (Canada)

Author keywords

access control; health information management; healthcare information systems; healthcare infrastructure; healthcare privacy issues; privacy protection; privacy regulations; Web enabled healthcare

Indexed keywords

EID: 85001817360     PISSN: 15553396     EISSN: 1555340X     Source Type: Journal    
DOI: 10.4018/jhisi.2006010102     Document Type: Article

References (39)

1. Agrawal, R., Kini, A., LeFevre, K., Wang, A., Xu, Y., & Zhou, D. (2004, June 13–18). Managing healthcare data hippocratically. In Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, Paris (pp.947–948). New York: ACM Press.
2. Alaoui, A., Levine, B., Cleary, K., & Mun, S. K. (2000, November 9–10). Development of a secure medical research environment. In Proceedings of the 2000 IEEE EMBS International Conference on Information Technology Applications in Biomedicine, Arlington, VA (pp.44–49). Washinngton, DC: ISIS.
3. APPEL. (2002). A P3P preference exchange language 1.0 (APPEL1.0) (Working Draft). World Wide Web Consortium (W3C). Retrieved on April 15, 2002, from http://www.w3.org/TR/P3P-preferences/
4. Apshankar, K. (2002). Web services solution for HIPAA compliance using J2EE-based Web services. Web Services Architect. Retrieved on May 15, 2002, from http://www.webservicesarchitect.com/content/ar-ticles/apshankar02.asp
5. Bennett, C. J. (1997). Arguments for the standardization of privacy protection policy: Canadian initiatives and American and international responses. Government Information Quarterly, 14(4), 351–362.
6. Cattaneo, G., Faruolo, P., Petrillo, U. F., & Persiano, G. (2004, June 6–9). Providing privacy for Web services by anonymous group identification. In Proceedings of IEEE International Conference on Web Services 2004 (pp.166–173). Washington, DC: IEEE Computer Society.
7. Cheng, V. S. Y., & Hung, P. C. K. (2005, July 19–22). Towards an integrated privacy framework for HIPAA-compliant Web services. In Proceedings of the 2005 IEEE International Conference on E-Commerce Technology, Munich, Germany (pp. 480–483). Washington, DC: IEEE Computer Society.
8. Coyn, E. J., Page, A. B., Davis, J. M., & Rota, D. D. (2004). Role standards in healthcare. Document from the US Department of Veterans Affairs, Role Engineering Process Web site. Retrieved on May 26, 2005, from http://www.va.gov/rbac/docs/RoleStandards inHealthcare.doc
9. Ferraiolo, D. F., Kuhn, D. R., & Chandramouli, R. (2003). Role-based access control, Computer security series. Artech House Publishers.
10. Fischer-Hubner, S. (2001). IT-security and privacy. Lecture Notes on Computer Science, 1958.
11. HIPAA. (2005). Medical privacy: National standards to protect the privacy of personal health information. U.S. Department of Health & Human Services (HSS). Retrieved on April 18, 2005, from http://www.hhs.gov/ocr/hipaa/
12. HL7. (2004). HIPAA claims and attachments preparing for regulation. Retrieved on May 31, 2004, from http://www.hl7.org/memonly/downloads/Attachment_Specifications/HIPAA_and_Claims_Attachments_White_Paper_20040518.pdf
13. HL7. (2005). HL7 RBAC healthcare permission catalog. Retrieved on April 2005, from http://www.va.gov/rbac/docs/HL7RBACHealthcarePermissionCatalogv1.0.doc
14. Hooda, J. S., Dogdu, E., & Sunderraman, R. (2004, March 14–17). Health Level-7 compliant clinical patient records system. In Proceedings of the 2004 ACM Symposium on Applied Computing, Nicosia, Cyprus (pp. 259–263). New York: ACM Press.
15. HSS. (2004). Protecting personal health information in research: Understanding the HIPAA privacy rule. U.S. Department of Health & Human Services (HSS). Retrieved on July 13, 2004, from http://privacyruleandresearch.nih.gov/pr_02.asp
16. Hung, P. C. K., Ferrari, E., & Carminati, B. (2004, June 6–9). Towards standardized Web services privacy technologies. In Proceedings of the 2004 IEEE International Conference on Web Services (pp.174–181). Washington, DC: IEEE Computer Society. Retrieved from http://dx.doi.org/10.1109/ICWS.2004.116
17. IBM. (2003). Enterprise Privacy Authorization Language (EPAL) (IBM Research Report). Retrieved on June 12, 2003, from http://www.zurich.ibm.com/security/enterprise-privacy/epal
18. IBM and Microsoft. (2002). Security in a Web Services world: A proposed architecture and roadmap (White Paper, Version 1.0). Retrieved on April 7, 2002, from http://www-106.ibm.com/developerworks/library/ws-secmap/
19. IMIA. (2001). A code of ethics for professionals (HIPs). International Medical Informatics Association (IMIA). Retrieved on March 31, 2001, from http://www.imia.org/ pubdocs/Code_of_ethics.pdf
20. Jepsen, T. (2003). IT in healthcare: Progress report, IT Professional, 5(1), 8–14.
21. Leino-Kilpi, H., Valimaki, M., Dassen, T., Gasull, M., Lemonidou, C., Scott, A., & Arndt, M. (2001). Privacy: A review of the literature. International Journal of Nursing Studies, 38, 663–671.
22. Louwerse, K. (1998). The electronic patient record; The management of access — Case study: Leiden University Hospital. International Journal of Medical Informatics, 49(1), 39–44.
23. May, T. T. (1998, October 12–14). Medical information security: The evolving challenge. In Proceedings of the 32nd Annual 1998 International Carnahan Conference on Security Technology, Alexandria, VA (pp.8592).
24. NIST. (2005). Role based access control standards roadmap. National Institute of Standard and Technology (NIST). Retrieved on May 18, 2005, from http://csrc.nist.gov/rbac/rbac-stds-roadmap.html
25. OASIS. (2002). UDDI Version 3.0, universal description, discovery and integration (UDDI) spec technical committee specification. Retrieved on July 19, 2002, from http://uddi.org/pubs/uddi-v3.00-published-20020719.htm
26. Osborn, S., Sandhu, R., & Munawer, Q. (2000). Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and Systems Security (TISSEC), 3(2), 85–106.
27. Powers, C. S., Ashley, P., & Schunter, M. (2002, October 18–19). Privacy promises, access control, and privacy management — Enforcing privacy throughout an enterprise by extending access control. In Proceedings of the Third International Symposium on Electronic Commerce (pp. 13–21). Washington, DC: ISEC.
28. Rezgui, A., Ouzzani, M., Bouguettaya, A., & Medjahed, B. (2002, November 8). Preserving privacy in Web services. In Proceedings of the Fourth International Workshop on Web Information and Data Management, McLean, VA (pp. 56–62). New York: ACM Press.
29. Senicar, V., Jerman-Blazic, B., & Klobucar, T. (2003). Privacy-enhancing technologies — Approaches and development. Computer Standards & Interfaces, 25, 147–158.
30. Schoeman, E. D. (1984). Philosophical dimensions of privacy: An anthology. New York, NY: Cambridge University Press.
31. Steger, H. (2004). New opportunities for Web services technology: New laws create new needs. Web Services Journal. Retrieved October 1, 2004, from http://www.findarticles.com/p/articles/mi_m0MLV/is_10_4/ai_n7073760
32. University of Miami Ethics Programs. (2005). Privacy standard/rule (HIPAA). Retrieved on May 12, 2005, from http://privacy.med.miami.edu/glossary/xd_privacy_stds.htm
33. W3C. (2002a). The platform for privacy preferences 1.0 (P3P1.0) specification (Recommendation). World Wide Web Consortium (W3C). Retrieved on April 16, 2002, from http://www.w3.org/TR/P3P/
34. W3C. (2002b). Web services description language (WSDL), Version 1.2 (Working Draft). World Wide Web Consortium (W3C). Retrieved on July 9, 2002, from http://www.w3.org/TR/2002/WD-wsdl12–20020709/
35. W3C. (2002c). Web services architecture usage scenarios (Working Draft). World Wide Web Consortium (W3C). Retrieved on July 30, 2002, from http://www.w3.org/TR/2002/WD-ws-archscenarios-20020730/
36. W3C. (2002d). Web services architecture requirements (Working Draft). World Wide Web Consortium (W3C). Retrieved on November 14, 2002, from http://www.w3.org/TR/2002/WD-wsa-reqs-20021114
37. W3C. (2003a). SOAP Version 1.2 Part 1: Messaging framework (Proposed Recommendation). World Wide Web Consortium (W3C). Retrieved on May 7, 2003, from http://www.w3c.org/TR/2003/PR-soap12-part1–20030507/
38. W3C. (2003b). SOAP Version 1.2 part 2: Adjuncts (Proposed Recommendation). World Wide Web Consortium (W3C). Retrieved on May 7, 2003, from http://www.w3.org/TR/2003/PR-soap12-part2–20030507/
39. Yee, G., & Korba, L. (2004, June 6–9). Privacy policy compliance for Web services. In Proceedings of IEEE International Conference on Web Services (pp.158–165). Washington, DC: IEEE Computer Society.