Formally expressing HIPAA privacy policies for web services

Healthcare software applications are designed to collect, store, and manage patients´ personal and medical information. Such applications are required to maintain the patients´ privacy and to comply with the privacy laws and regulations. In the United States, patients´ privacy is protected with federal regulations, more specifically the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its amendments. To guarantee compliance with HIPAA, the software application must have a decision engine which should be consulted before any operation is carried on the patients´ information to determine the operation validity and compliance. This decision engine will use HIPAA privacy rules in the decision making process, which triggers the need to formally express HIPAA privacy rules in the form of formal privacy policies. In this work, we evaluate the potential languages that can be used to formally express the extracted HIPAA privacy policies. Also, we expose any required extensions to the specification language features to support the decision engine logic.