Analyzing privacy requirements: A case study of healthcare in Saudi Arabia

Abstract

Developing legally compliant systems is a challenging software engineering problem, especially in systems that are governed by law, such as healthcare information systems. This challenge comes from the ambiguities and domain-specific definitions that are found in governmental rules. Therefore, there is a significant business need to automatically analyze privacy texts, extract rules and subsequently enforce them throughout the supply chain. The existing works that analyze health regulations use the U.S. Health Insurance Portability and Accountability Act as a case study. In this article, we applied the Breaux and Antón approach to the text of the Saudi Arabian healthcare privacy regulations; in Saudi Arabia, privacy is among the top dilemmas for public and private healthcare practitioners. As a result, we extracted and analyzed 2 rights, 4 obligations, 22 constraints, and 6 rules. Our analysis can assist requirements engineers, standards organizations, compliance officers and stakeholders by ensuring that their systems conform to Saudi policy. In addition, this article discusses the threats to the study validity and suggests open problems for future research.