Early Studies in Acquiring Evidentiary, Reusable Business Process Models for Legal Compliance

Government laws and regulations impose legal requirements on information practices in healthcare and finance. These requirements govern the use and disclosure of information across organizations and their business practices. To comply with the law, organizations must demonstrate that they have verifiable procedures in-place to implement these requirements. This paper surveys our experiences acquiring business process models expressed in the Business Process Model Notation (BPMN) using a systematic method. The method requires business process owners to classify regulatory statements using a legal ontology to identify legal requirements. The itemized requirements can then be used to specify elements in a business process model to demonstrate due diligence under the law. The contributions of this paper include lessons learned while acquiring the model with attention to traceability, distinguishing between legally expressed and implied activities and implementing legally imposed deadlines and suspensions. We discuss the lessons learned with examples from the U.S. Health Insurance Portability and Accountability Act (HIPAA).

[1]  David Delahaye,et al.  Reasoning about Airport Security Regulations Using the Focal Environment , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[2]  John Mylopoulos,et al.  Computer-aided Support for Secure Tropos , 2007, Automated Software Engineering.

[3]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[4]  M. Hart,et al.  SOME FUNDAMENTAL LEGAL CONCEPTIONS AS APPLIED IN JUDICIAL REASONING , 2008 .

[5]  John Mylopoulos,et al.  Automating the Extraction of Rights and Obligations for Regulatory Compliance , 2008, ER.

[6]  N. Isaacs,et al.  Fundamental Legal Conceptions as Applied in Judicial Reasoning: And Other Legal Essays , 2010 .

[7]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[8]  Mario Piattini,et al.  Legal requirements reuse: a critical success factor for requirements quality and personal data protection , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[9]  John Mylopoulos,et al.  Business Process-Based Regulation Compliance: The Case of the Sarbanes-Oxley Act , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[10]  Eugene H. Spafford,et al.  A distributed requirements management framework for legal compliance and accountability , 2009, Comput. Secur..

[11]  Clare-Marie Karat,et al.  Enforceability vs. accountability in electronic policies , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[12]  Kincho H. Law,et al.  Logic-based regulation compliance-assistance , 2003, ICAIL.

[13]  Annie I. Antón,et al.  A Distributed Requirements Management Framework for Compliance and Accountability , 2006 .

[14]  Annie I. Antón,et al.  Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[15]  A. Antón,et al.  A Systematic Method for Acquiring Regulatory Requirements : A Frame-Based Approach , 2007 .

[16]  Andreas Schaad,et al.  Supporting Evidence-Based Compliance Evaluation for Partial Business Process Outsourcing Scenarios , 2008, 2008 Requirements Engineering and Law.

[17]  Daniel Amyot,et al.  Towards a Framework for Tracking Legal Compliance in Healthcare , 2007, CAiSE.

[18]  Jon Doyle,et al.  Semantic parameterization: A process for modeling domain descriptions , 2008, TSEM.

[19]  J. Horty Agency and Deontic Logic , 2001 .