On XACML's adequacy to specify and to enforce HIPAA


In the medical sphere, personal and medical informa-
tion is collected, stored, and transmitted for various pur-
poses, such as, continuity of care, rapid formulation
of diagnoses, and billing. Many of these operations
must comply with federal regulations like the Health
Insurance Portability and Accountability Act (HIPAA).
To this end, we need a specification language that can
precisely capture the requirements of HIPAA. We also
need an enforcement engine that can enforce the pri-
vacy policies specified in the language. In the current
work, we evaluate eXtensible Access Control Markup
Language (XACML) as a candidate specification lan-
guage for HIPAA privacy rules. We evaluate XACML
based on the set of features required to sufficiently ex-
press HIPAA, proposed by a prior work. We also discuss
which of the features necessary for expressing HIPAA
are missing in XACML. We then present high level de-
signs of how to enhance XACML


Personal and Medical data, HIPPA, enforcement engine, XACML, privacy

Date of this Version



08/2012; In proceeding of: USENIX Workshop on Health Security and Privacy