It has been estimated that 55 percent of the cost of any compliance program is due to staffing and training1.  Therefore, semi-automation or full automation of compliance processes can be a critical path to lowering overall compliance costs for large enterprises. One possible approach to developing a semi-automated approach to a compliance function could be the use of modeling tools to map out business processes and then the application of regulatory databases to act as “gatekeepers” to keep the processes in compliance with applicable laws, regulations and corporate policies. Since non-programmer business executives are likely to have valuable insight into the key corporate business functions, there need to be tools available for them to provide their knowledge to the IT department. For example, the Object Management Group (OMG) Unified Modeling Language (UML) can be used by non-programmers to map out key use cases, sequence diagrams and class diagrams for the IT department to use to design the needed semi-automated compliance infrastructures. A good primary text explaining this process is Magnus Penker and Hans-Erik Erikson, Business Modeling With UML: Business Patterns at Work (John Wiley & Sons 2000).

As an example of how a compliance officer could make use of this approach, the following are simple UML diagrams for a compliance engine designed to facilitate the querying of a database of state medical privacy laws that are not preempted by the Health Insurance Portability and Accountability Act (HIPAA), since they are more protective of the patient’s privacy than the HIPAA Privacy Rule3.  An example of such a database is the database created by the BlueCross BlueShield Association4. The steps embodied in the rules engine to be created based on the UML diagrams are (1) identify the process covered by the HIPAA Privacy Rule, (2) identify the applicable HIPAA and state privacy law rules applicable to the process, (3) apply a choice of law analysis to eliminate the laws of states not relevant to the process, (4) rank the provisions of applicable states based on most protective and comprehensive to least, eliminating duplicative requirements, and (5) utilize the HIPAA preemption protocol to apply the HIPAA rule and remaining state privacy rules. This schema contemplates the use of at least four regulatory databases. Although this model HIPAA Preemption Engine speeds up the process of querying and applying a database of state medical privacy laws not preempted by HIPAA, it does not fully automate the process for purposes of enabling real-time “gatekeeper” functionality. However, use of such an engine for situations such as the HIPAA preemption of state laws to semi-automate compliance functionality should reduce manual reviews and therefore reduce overall staffing costs. This approach may become increasingly relevant due to the potential passage by Congress of laws creating a Consumer Financial Protection Agency, which would likely involve federal preemption of consumer protection laws except where the state laws are more protective of the consumer6.

Use Case Diagram for the HIPAA Preemption Issue Compliance Engine (Query Version)

Sequence Diagram for the HIPAA Preemption Compliance Engine (Query Version)

HIPAA Preemption Issue Compliance Engine (Query Version) Class Diagram


[1] See Virginia Garcia, “Seven Points Financial Institutions Should Know About IT Spending For Compliance”, Journal of Financial Regulation and Compliance (Vol. 12, Issue 4, 2004).

[2] See

[3] See, New York State analysis of state privacy laws not preempted by HIPAA, at

[4]  See

[5]  See, e.g.,

[6]  See, e.g.,