Skip to content

SQ0: Existing Work and Limitations

Supporting research question

What existing Compliance-as-Code approaches and known limitations are most relevant to healthcare CI/CD compliance automation?

Problem Investigation

Existing Compliance-as-Code tools offer strong policy-as-code patterns, but healthcare regulation introduces context-heavy clauses, legal ambiguity, and audit evidence requirements that are not always directly machine-checkable.

Treatment Design

Build a comparative baseline of existing approaches and evaluate fit for the project context.

Candidate Families

  • Policy engines (for example OPA/Rego).
  • Compliance frameworks and catalogs (for example OSCAL).
  • Infrastructure/compliance testing approaches (for example InSpec).

Comparison Dimensions

  • Expressiveness for healthcare clauses.
  • Traceability from clause to technical control.
  • CI/CD integration complexity.
  • Human-in-the-loop support.
  • Audit evidence quality.

Treatment Validation

Use structured literature and documentation review plus focused expert validation to classify each approach by strengths, limits, and adaptation effort for this project.

Iteration Checkpoints

  • Version 1: Initial comparison table with inclusion/exclusion criteria.
  • Version 2: Add healthcare-specific limitation analysis.
  • Version 3: Confirm architectural implications for SQ1 and SQ2.

Evaluation Boundary

This sub-question identifies suitability and limitations; it does not fully benchmark all tools in production-scale settings.

Evidence Map

  • Literature review notes.
  • Tool documentation excerpts.
  • Comparison matrix with citations.
  • Decision notes that feed SQ1 and SQ2.

Expected Contribution to Main Question

SQ0 constrains design space and avoids reinventing existing mechanisms where adaptation is sufficient.