The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law meant to protect sensitive electronic protected health information (ePHI). Every healthcare organization (“covered entity”) must comply with HIPAA’s two fundamental rules.

  • The Privacy Rule sets conditions for the use and disclosure of patients’ ePHI.
  • The Security Rule mandates that covered entities implement appropriate safeguards to protect ePHI.

In 2013 the U.S. Department of Health and Human Services (HHS) passed the HIPAA Omnibus Final Rule, which expanded compliance requirements to vendors (called “business associates” in the rule) that also handle ePHI on behalf of covered entities.

Separate from HIPAA, the cybersecurity world also has the ISO 27001 standard, developed by the International Organization for Standardization (ISO) to define security standards for an information security management system (ISMS). By implementing ISO 27001, organizations can better protect their valuable intellectual property, financial data, customer data, and other information.

While both HIPAA and ISO 27001 are about protecting information, they differ in the scope and type of information they aim to protect. For example, ISO 27001 protects all data, while HIPAA refers explicitly to the protection of ePHI only.

That said, many organizations wanting to achieve HIPAA compliance can simplify the process by mapping HIPAA requirements to ISO 27001 controls. This article explains how they can do this mapping.

HIPAA Compliance vs. ISO 27001

Many organizations benefit from following both HIPAA and ISO 27001. In some cases, they are required to follow both. So whether a business implements one, the other, or both depends on the organization and its industry or area of operations.

For instance, a healthcare organization or its business associates that handle ePHI must comply with HIPAA, which is a law and leaves no room for non-compliance. Further, since medical data is sensitive and must be protected from cybersecurity threats, the organization would also be wise to comply with ISO 27001.

In general, non-healthcare organizations that don’t collect or process ePHI don’t have to comply with HIPAA. Meanwhile, achieving ISO 27001 compliance is generally voluntary – but adopting ISO 27001 demonstrates that an organization takes security seriously and can be trusted by its business partners. ISO 27001 compliance can enhance a company’s reputation and lower the possibility of financial damages and other penalties resulting from IT security incidents or data breaches.

Who Is Responsible for Implementing the ISO 27001 Controls?

Because ISO 27001 is a business management system standard, it typically requires the participation of senior management, management from across the organization, and subject matter knowledge from essential areas of the organization (IT, privacy, legal, and so forth).

What are the Annex A controls?

The ISO 27001 standard includes “Annex A,” a list of security measures that businesses may use to strengthen the security of their information assets. In addition, ISO 27001 has 114 controls organized into 14 divisions or “domains.”

The 14 ISO domains address organizational issues, human resources, information technology, physical security, and legal challenges. Organizations are not obligated to adopt the entire list of ISO 27001 controls. Rather, they should study the list and then adopt those controls that make the most sense given the company’s specific operations and compliance obligations.

The 14 domains are as follows:

  • Information security controls (A.5)
  • Information security organization and duty assignment (A.6)
  • Human resources security (A.7)
  • Asset management (A.8)
  • Control of user access (A.9)
  • Encryption and management of sensitive data (A.10)
  • Physical and environmental protection (A.11)
  • Operational protection (A.12)
  • Communication protection (A.13)
  • System acquisition, development, and upkeep (A.14)
  • Supplier relationships (A.15)
  • Management of information security incidents (A.16)
  • Aspects of information security in business continuity management (A.17)
  • Compliance (A.18)

5 HIPAA Requirements to Map to ISO 27001 Controls

ISO 27001 consists of 114 security controls. Of these, at least 47 can be leveraged to comply with HIPAA requirements. Here are five HIPAA requirements that can be mapped to ISO 27001 control objectives to reduce the HIPAA compliance burden.

Map HIPAA Requirement 164.308(a)(2) Assigned Security Responsibility to ISO 27001 Control: A.6.1.1 Information Security Roles and Responsibilities

HIPAA requirement 164.308(a)(2) refers to assigning security responsibility. It specifies how the covered entity or business associate should identify the security official responsible for developing and implementing the policies and procedures to protect ePHI.

This requirement can be mapped to ISO 27001 control: A.6.1.1. This control says that the ownership of information assets should be considered when identifying and allocating information security responsibilities. The objective is to clarify who is responsible for which information based on the organization’s size and nature.

Map HIPAA Requirement 164.308(a)(5) Security Awareness and Training to ISO 27001 Control: A.7.2.2 Information Security Awareness, Education, and Training

HIPAA 164.308(a)(5) requires covered entities to implement a security awareness and training program for the entire workforce.

ISO A.7.2.2 suggests that the organization’s training program should include an information security awareness plan aligning with its information security policies and procedures. It should account for the information to be protected and the controls that will help with this goal. A comprehensive awareness plan includes in-house training and awareness-raising events such as information booklets, presentations, Intranet, videos, gatherings, etc.

Map HIPAA Requirement 164.310(b) Workstation Use to ISO 27001 Control A.8.1.3 Acceptable Use Of Assets

HIPAA 164.310(b) specifies rules regarding how workstations used by a covered entity can access ePHI. It requires covered entities to implement appropriate policies and procedures that determine which functions can be performed by workstations and also specifies the physical attributes of the surroundings of those workstations.

ISO A.8.1.3 suggests that the rules for acceptable asset use must be documented and consider everyone with access to information assets, including employees, temporary staff, contractors, and other third parties. This control also states that all relevant parties must have access to and be trained on these acceptable use rules.

Map HIPAA Requirement 164.308(a)(4) Information Access Management to ISO 27001 A.9.1 Business Requirements of Access Control and A.9.2 User Access Management

HIPAA 164.308(a)(4) requires that covered entities implement policies and procedures to authorize access to ePHI. Moreover, these policies must be consistent with the requirements mandated in Requirement 164 subpart E, which includes data protection and privacy rules.

Annex A.9.1 of ISO 27001 aims to limit access to information and information processing facilities. Control 9.1.1 establishes, documents, and reviews the organization’s access control policy. This security policy should reflect the company’s information security risks and consider the security requirements of its business applications.

HIPAA 164.308(a)(4) should also be mapped to ISO 27001 control A.9.2 to control and manage user access. This is best done with a formal user registration and deregistration process, robust user access provisioning, and management of privileged access rights.

Map HIPAA Requirement 164.312(a)(1) Access Control (to Information Systems) to ISO 27001 A.9.4 System and Application Access Control

Under HIPAA 164.312(a)(1), healthcare organizations must implement technical policies and procedures for any electronic information system that maintains ePHI. Furthermore, these policies should assure that only authorized persons or software programs can access these systems and ePHI.

ISO 27001 A.9.4 is also about controlling access to systems and applications. It includes five controls around:

  • Information access restriction (A.9.4.1)
  • Secure log-on procedures (A.9.4.2)
  • Password Management System (A.9.4.3)
  • Use of privileged utility programs (A.9.4.4)
  • Access control to any program source code (A.9.4.5)

ISO suggests that these controls should ensure that:

  • Limit access as much as possible
  • Source code is kept off operational systems
  • Access to source code is restricted
  • Robust control procedures are implemented
  • Frequent audits and reviews are conducted

Other Possible Mapping of HIPAA Requirements to ISO Controls

HIPAA Requirement ISO Control
164.310(c): Workstation Security A.11.2: Equipment
164.312(b): Audit Controls A.12.7.1: Information Systems Audit Control
164.312(e)(1): Transmission Security A.13: Communications Security
164.308(a)(6): Security Incident Procedures A.16: Information Security Incident Management
164.308(a)(7): Contingency Plan A.17: Information Security Aspects of Business Continuity Management
164.308(a)(8): Evaluation A.18.2.2: Compliance with Security Policies and Standards
A.18.2.3: Technical Compliance Review

Stay Secure and Compliant with ZenComply

Compliance can be intimidating – with HIPAA, ISO 27001, or many other frameworks. Achieve compliance and stay on top of the evolving regulatory environment with ZenComply.

ZenComply provides an integrated and automated system of record to simplify compliance efforts with a single source of truth. Offering complete views of control environments, easy access to information for security program evaluation, plus continual compliance monitoring, ZenComply makes it easy to address critical compliance tasks at any time.

Schedule a free demo of ZenComply.