Part of this unique legislation is the HIPAA Privacy Rule which provides federal protections of personal health information. Requirements for HIPAA are defined in the Code of Federal Regulations (CFR) Title 45, Part 164.
They are divided into six categories:
- Security standard
- Administrative safeguard
- Physical safeguard
- Technical safeguard
- Organizational requirements
- Policies, procedures and documentation requirements
The HIPAA guidelines only provide very brief descriptions of the requirements. Organizations are responsible for interpreting the requirements and identifying appropriate controls to satisfy the requirements. This has been a major challenge for organizations. Some companies have discovered that the implementation of a management system according to ISO 27001 has helped to define and simplify processes in their compliance efforts.
ISO 27001 and HIPAA?
ISO 27001 specifies a management system that is intended to organize and control information security, which is at the core of the HIPAA legislation. In fact, ISO 27001 address approximately 95% of the requirements of HIPAA. The framework of ISO 27001 provides flexibility to organizations to select the controls that are applicable to their business. They can also add new controls to the management system that are not defined in ISO 27001 to address remaining 5% of HIPAA requirements. ISO 27001 provides a list of 133 controls in annexure. ISO 27002 provides guidelines on the implementation of the controls. As a result, it is much easier to implement ISO 27001.
Finally, there is no certification scheme available for HIPAA. Claims of compliance are based on self-assessment or assessments done by consultants. Credibility of these claims are often challenged, whereas ISO 27001 certificates are accredited by the American National Accreditation Board (ANAB). An organization with ISO 27001 certificate will have more credible evidence of HIPAA compliance.