@inproceedings{BP09,
 author = {Travis D. Breaux and Calvin Powers},
 affiliation = {North Carolina State University},
 title = {Early Studies in Acquiring Evidentiary, Reusable Business Process Models from Laws for Legal Compliance},
 year = {2009},
 month = {April},
 booktitle = {ITNG'09: Proceedings of the 6th International Conference on Information Technology: New Generations},
 publisher = {IEEE},
 address = {New York, NY, USA},
 pages = {},
 location = {Las Vegas, Nevada},
 abstract = {Government laws and regulations impose legal requirements on information practices in healthcare and finance. These requirements govern the use and disclosure of information across organizations and their business practices. To comply with the law, organizations must demonstrate that they have verifiable procedures in-place to implement these requirements. This paper surveys our experiences acquiring business process models expressed in the Business Process Model Notation (BPMN) using a systematic method. The method requires business process owners to classify regulatory statements using a legal ontology to identify legal requirements. The itemized requirements can then be used to specify elements in a business process model to demonstrate due diligence under the law. The contributions of this paper include lessons learned while acquiring the model with attention to traceability, distinguishing between legally expressed and implied activities and implementing legally imposed deadlines and suspensions. We discuss the lessons learned with examples from the U.S. Health Insurance Portability and Accountability Act (HIPAA).},
}