Integrated privacy decision in BPMN clinical care pathways models using DMN

Personal data is highly affected by the witnessed digital transformation of healthcare processes. This process relies deeply on the connectivity and decentralization of healthcare systems and data repositories. In this context, value creation and quality enhancement are obviously leveraged, however both health providers and individuals could be exposed to many risks ranging from privacy violations to medical identity theft and personal harm. Hence, it is essential that healthcare stakeholders ensure privacy protection and systemic compliance to personal data regulations such as HIPPA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation). Taking clinical processes as a starting point is very important to highlight the personal data in use and to assess whether such usage is justifiable and subsequently allow privacy management decisions to be made. In this paper we combine BPMN (Business Process Model and Notation) and DMN (Decision Model and Notation) to model clinical care pathways as standard business processing constituting the hospital information system. Business process modelling presents a useful mean to model clinical care pathways. It allows a complete discovery of data processing scenarios. DMN (Decision Model and Notation) is implemented in BPMN models to present the rules that lead to a decision in easy-to-read tables which are executed directly by a decision engine. In addition, the integration of verifiable security labels of the manipulated data, we make sure compliance to legislation is ensured at the level of decision rules for each decision table of the DMN.