Requirements for access control: US Healthcare domain

Abstract

The di erences in the requirements of disclosing patient information from state to state, the diversity in healthcare providers' business models, the increased rate of merges, and the upcoming federal regulations in healthcare make access control requirements a moving target for application developers and healthcare enterprise designers and administrators. We suggest two major design principles for access control infrastructure deployed in the healthcare enterprises: isolation of the application logic from the authorization logic and centralized administration of the authorization logic. Application systems and healthcare enterprises constructed according to these two principles will be able to accommodate changes in access control logic and will enforce a uniform access control model across an enterprise. However, the complexity and instability of the healthcare access control model makes the task of applying these design principles somewhat di cult. The notion of roles and their hierarchies help to alleviate complexity of controlling access to patient data, but it has to be used in conjunction with other information, such as a liation, relationship, location and so on. We identi ed the following factors that have to be used to make elaborate authorization decisions in order to comply with patient information discloser requirements: