Comparison of HIPAA compliance and ISO 27001 certification

Update 2022-04-25.

All over the world, organizations in the healthcare industry are becoming more and more interested in protecting their patients’ information; but, in the United States, this need goes back to 1996, with the enforcement of HIPAA (Health Insurance Portability and Accountability Act), which regulates the use and disclosure of U.S. citizens’ protected health information.

This article will compare HIPAA compliance vs. ISO 27001, and present how organizations that need to ensure HIPAA compliance can take advantage of ISO 27001, the leading ISO standard for information security management, to fulfill the requirements.

What are the security requirements in HIPAA?

Broadly speaking, HIPAA requirements are defined by two main rules: the Privacy rule and the Security rule. These rules must be followed by any U.S. healthcare provider who transmits health information in electronic form (generally called “covered entities”).

Sponsorships Available

Sponsorships Available

Sponsorships Available

The Privacy rule establishes standards for the use and disclosure of personal health information (called Protected Health Information, or PHI) – information about the present or future physical or mental health or condition of an individual. Examples of established standards are limitation of use and disclosure to the minimum necessary, notification of privacy practices, and adoption of administrative practices (e.g., privacy policies and procedures, definition of responsibilities, training, documentation, records and retention, etc.).

The Security rule establishes standards for the protection of confidentiality, integrity, and availability of PHI that is held or transferred in electronic form (i.e., electronic Protected Health Information, or e-PHI), by means of administrative, physical, and technical safeguards. Examples of (Read more...)