SBN

Comparison of HIPAA compliance and ISO 27001 certification

All over the world, organizations in the healthcare industry are becoming more and more interested in protecting their patients’ information; but, in the United States, this need goes back to 1996, with the enforcement of HIPAA (Health Insurance Portability and Accountability Act), which regulates the use and disclosure of U.S. citizens’ protected health information.

This article will present how organizations that need to ensure HIPAA compliance can take advantage of ISO 27001, the leading ISO standard for information security management, to fulfill the requirements.

What are the security requirements in HIPAA?

Broadly speaking, HIPAA requirements are defined by two main rules: the Privacy rule and the Security rule. These rules must be followed by any U.S. healthcare provider who transmits health information in electronic form (generally called “covered entities”).

The Privacy rule establishes standards for the use and disclosure of personal health information (called Protected Health Information, or PHI) – information about the present or future physical or mental health or condition of an individual. Examples of established standards are limitation of use and disclosure to the minimum necessary, notification of privacy practices, and adoption of administrative practices (e.g., privacy policies and procedures, definition of responsibilities, training, documentation, records and retention, etc.).

The Security rule establishes standards for the protection of confidentiality, integrity, and availability of PHI that is held or transferred in electronic form (i.e., electronic Protected Health Information, or e-PHI), by means of administrative, physical, and technical safeguards. Examples of addressed safeguards are risk analysis and management, information access management, workforce training management, facilities access and control, workstation and device security, audit controls, and transmission security.

It is also important to note that HIPPA does not require any specific set of technology or software, so organizations are free to adopt (Read more...)

*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/