The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law meant to protect sensitive electronic protected health information (ePHI). Every healthcare organization (“covered entity”) must comply with its two fundamental rules.
- The Privacy Rule sets conditions on the use and disclosure of ePHI without patients’ authorization.
- The Security Rule mandates that covered entities implement appropriate safeguards to protect ePHI.
In 2013, the U.S. Department of Health and Human Services (HHS) passed the HIPAA Omnibus Final Rule, which expanded compliance requirements to the business associates that also handle ePHI on behalf of covered entities.
There are various internationally agreed-upon ISO standards, but specifically, ISO/IEC 27001 is a set of security standards for an information security management system (ISMS). By leveraging such standardization, organizations can better protect and manage their valuable intellectual property, financial data, customer data, etc.
While both HIPAA and ISO 27001 are about protecting information, they differ in the scope and type of information they are meant to protect. ISO 27001 is about protecting all data, while HIPAA refers explicitly to the protection of ePHI only.
Many organizations looking to achieve HIPAA compliance can simplify the process by mapping HIPAA requirements to ISO 27001 controls. This article explains how they can do this mapping.
HIPAA compliance vs. ISO 27001
Should organizations implement both HIPAA and ISO 27001? Is one better than the other?
Many organizations benefit from following both HIPAA and ISO 27001. In some cases, they are required to follow both. So whether they implement one or both depends on the organization and its industry or area of operations.
For instance, a healthcare organization or its business associates that handle ePHI must comply with HIPAA, which is a law and leaves no room for non-compliance. Further, since medical data is sensitive and must be protected from cybersecurity threats, the organization must also comply with ISO 27001.
In general, non-healthcare organizations that don’t collect or process ePHI don’t have to comply with HIPAA. However, U.S.-based healthcare organizations and any third party that works with such organizations must comply with HIPAA.
On the other hand, achieving ISO 27001 compliance can be beneficial for organizations in any industry since it proves that the organization is secure and trustworthy. Compliance can enhance its reputation and lower the possibility of financial damages and other penalties resulting from IT security incidents or data breaches.
5 HIPAA Requirements to Map to ISO 27001 Controls
ISO 27001:2013 consists of 114 security controls. Of these, at least 47 can be leveraged to comply with HIPAA requirements. Here are 5 HIPAA requirements that can be mapped to ISO 27001 control objectives to reduce the HIPAA compliance burden.
Map HIPAA Requirement 164.308(a)(2) Assigned Security Responsibility to ISO 27001 Control: A.6.1.1 Information Security Roles and Responsibilities
HIPAA requirement 164.308(a)(2) refers to assigning security responsibility. It specifies how the covered entity or business associate should identify the security official responsible for developing and implementing the policies and procedures to protect ePHI.
This requirement can be mapped to ISO 27001 control: A.6.1.1. This control says that that the ownership of information assets should be considered when identifying and allocating information security responsibilities. The objective is to clarify who is responsible for which information based on the organization’s size and nature.
Map HIPAA Requirement 164.308(a)(5) Security Awareness and Training to ISO 27001 Control: A.7.2.2 Information Security Awareness, Education, and Training
HIPAA 164.308(a)(5) requires covered entities to implement a security awareness and training program for the entire workforce.
ISO A.7.2.2 suggests that the organization’s training program should include an information security awareness plan, aligning with its information security policies and procedures. It should account for the information to be protected and the controls that will help with this goal. A comprehensive awareness plan includes in-house training and awareness-raising events such as information booklets, presentations, Intranet, videos, gatherings, etc.
Map HIPAA Requirement 164.310(b) Workstation Use to ISO 27001 Control A.8.1.3 Acceptable Use Of Assets
HIPAA 164.310(b) specifies rules regarding how workstations used by a covered entity can access ePHI. It requires covered entities to implement appropriate policies and procedures that determine which functions can be performed by workstations and also specifies the physical attributes of the surroundings of those workstations.
ISO A.8.1.3 suggests that the rules for acceptable asset use must be documented and consider everyone who has access to information assets, including employees, temporary staff, contractors, and other third parties. This control also states that all relevant parties must have access to and be trained on these acceptable use rules.
Map HIPAA Requirement 164.308(a)(4) Information Access Management to ISO 27001 A.9.1 Business Requirements of Access Control and A.9.2 User Access Management
HIPAA 164.308(a)(4) requires that covered entities must implement policies and procedures to authorize access to ePHI. Moreover, these policies must be consistent with the requirements mandated in requirement 164 subpart E, which includes data protection and privacy rules.
Annex A.9.1 of ISO 27001 aims to limit access to information and information processing facilities. Control 9.1.1 is about establishing, documenting, and reviewing the organization’s access control policy. This security policy should reflect the company’s information security risks and consider the security requirements of its business applications.
HIPAA 164.308(a)(4) should also be mapped to ISO 27001 control A.9.2 to control and manage user access. This is best done with a formal user registration and deregistration process, robust user access provisioning, and management of privileged access rights.
Map HIPAA Requirement 164.312(a)(1) Access Control (to Information Systems) to ISO 27001 A.9.4 System and Application Access Control
Under HIPAA 164.312(a)(1), healthcare organizations must implement technical policies and procedures for any electronic information system that maintains ePHI. Furthermore, these policies should ensure that only authorized persons or software programs can access these systems and ePHI.
ISO 27001 A.9.4 is also about controlling access to systems and applications. It includes five controls around:
- Information Access Restriction (A.9.4.1)
- Secure Log-on Procedures (A.9.4.2)
- Password Management System (A.9.4.3)
- Use of Privileged Utility Programs (A.9.4.4)
- Access Control to Any Program Source Code (A.9.4.5)
ISO suggests that these controls should ensure that:
- Limit access as much as possible
- Source code is kept off operational systems
- Access to source code is restricted
- Robust control procedures are implemented
- Frequent audits and reviews are conducted
Other Possible Mapping of HIPAA Requirements to ISO Controls
|HIPAA Requirement||ISO Control|
|164.310(c): Workstation Security||A.11.2: Equipment|
|164.312(b): Audit Controls||A.12.7.1: Information Systems Audit Control|
|164.312(e)(1): Transmission Security||A.13: Communications Security|
|164.308(a)(6): Security Incident Procedures||A.16: Information Security Incident Management|
|164.308(a)(7): Contingency Plan||A.17: Information Security Aspects of Business Continuity Management|
|164.308(a)(8): Evaluation||A.18.2.2: Compliance with Security Policies and Standards
A.18.2.3: Technical Compliance Review
Stay Secure and Compliant with ZenGRC
Compliance, whether with HIPAA or with ISO 27001, can be an intimidating endeavor. Achieve compliance and stay on top of the evolving regulatory environment with ZenGRC.
ZenGRC provides an integrated and automated system of record to simplify compliance efforts with a single source of truth. Offering complete views of control environments, easy access to information for security program evaluation, plus continual compliance monitoring, ZenGRC makes it easy to address critical compliance tasks at any time.