Mapping the New HIPAA Omnibus Rule to ISO 27001
1-888-PIVOT-POINT | 1-888-748-6876 info@pivotpointsecurity.com
Talk with an Expert »
Select Page
GDPR & Privacy Shield - What They Mean for Your Business

Recently one of our ISO 27001 certified clients called me because their clients had been asking them lately about whether they were compliant with the new HIPAA Omnibus Rule. This rule institutes sweeping changes in terms of what organizations must now comply with HIPAA, among a host of other major changes. Thus many companies must now ensure and attest that they are HIPAA compliant.

If your organization is ISO 27001 certified, you can potentially use the mapping that follows to show compliance with the latest HIPAA guidance. Here is the basic guidance on how to proceed:

  1. Review your data security risks and make any necessary adjustments based on the risk of personal health information (PHI) being included in your data or the data you receive, store, process, transmit, etc. from your clients.
  2. Identify the HIPAA security controls in place in your organization (based on the mapping of HIPAA to ISO 27001 as shown below).
  3. Pinpoint any gaps between your security controls and HIPAA requirements for privacy, security and breach notification.
  4. Update your risk treatment plan with any projects required to close gaps for HIPAA compliance based on a mapping of controls per the table below.

There are an estimated 70 controls in ISO 27002 that map to HIPAA safeguards. This information updates an earlier post on the Pivot Point Security website.

HIPAA StandardsHIPAA Implementation SpecificationsISO 27002 Security Clauses & Categories

Controls

Security Management Process164.308(a)(1)

Risk Analysis (R)

Risk Management (R)

Sanction Policy (R)

Information System Activity Review (R)

5.1 INFORMATION SECURITY POLICY

2

Assigned Security Responsibility164.308(a)(2)6.1.3 Allocation of information security responsibilities

1

Workforce Security164.308(a)(3)

Authorization and/or Supervision (A)

Workforce Clearance Procedure

Termination Procedures (A)

8 HUMAN RESOURCES SECURITY

8

Information Access Management164.308(a)(4)

Isolating Health care Clearinghouse Function (R)

Access Authorization (A)

Access Establishment and Modification (A)

11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL

11.2 USER ACCESS MANAGEMENT

5

Security Awareness and Training164.308(a)(5)

Security Reminders (A)

Protection from Malicious Software (A)

Log-in Monitoring (A)

Password Management (A)

8.2.2 Information security awareness, education, and training

11.3.1 Password use

2

Security Incident Procedures164.308(a)(6)

Response and Reporting (R)

13 INFORMATION SECURITY INCIDENT MANAGEMENT

5

Contingency Plan164.308(a)(7)

Data Backup Plan (R)

Disaster Recovery Plan (R)

Emergency Mode Operation Plan (R)

Testing and Revision Procedure (A)

Applications and Data Criticality Analysis (A)

14 BUSINESS CONTINUITY MANAGEMENT

5

Evaluation164.308(a)(8)15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE

2

Business Associate Contracts and Other Arrangement164.308(b)(1)

Written Contract or Other Arrangement (R)

N/A

0

Facility Access Controls164.310(a)(1)

Contingency Operations (A)

Facility Security Plan (A)

Access Control and Validation Procedures (A)

Maintenance Records (A)

9.1 SECURE AREAS

6

Workstation Use164.310(b)7.1.3 Acceptable use of assets

1

Workstation Security164.310(c)9.2 EQUIPMENT SECURITY

5

Device and Media Controls164.310(d)(1)

Disposal (R)

Media Re-use (R)

Accountability (A)

Data Backup and Storage (A)

7.1 RESPONSIBILITY FOR ASSETS

9.2.6 Secure disposal or re-use of equipment

9.2.7 Removal of property

10.5 BACK-UP

10.7 MEDIA HANDLING

8

Access Control164.312(a)(1)

Unique User Identification (R)

Emergency Access Procedure (R)

Automatic Logoff (A)

Encryption and Decryption (A)

11.5 OPERATING SYSTEM ACCESS CONTROL

6

Audit Controls164.312(b)15.3.1 Information systems audit controls

1

Integrity164.312(c)(1)

Mechanism to Authenticate Electronic Protected Health Information (A)

12.2 CORRECT PROCESSING IN APPLICATIONS

4

Person or Entity Authentication164.312(d)11.4.2 User authentication for external connections

11.5.2 User identification and authentication

2

Transmission Security164.312(e)(1)

Integrity Controls (A)

Encryption (A)

12.3 CRYPTOGRAPHIC CONTROLS

2

Privacy Rule obligations for business associatesLimiting uses or disclosures of PHI to only those (i) provided for within their business associate agreement or (ii) permitted or
required under HIPAALimiting permissible disclosures or requests for disclosures of PHI to the minimum necessaryProviding an accounting of disclosures;Providing access to PHI kept in a designated record set for covered entities or individuals
15.1.4 Data protection and privacy of personal information

1

Privacy Rule obligations for business associatesProviding PHI to the U.S. Department of Health and Human Services (HHS) to demonstrate compliance during investigations13.2.3 Collection of evidence

1

Privacy Rule obligations for business associatesEntering into business associate agreements with subcontractors that comply with the provisions governing business associate agreements
between covered entities and business associates
6.2.3 Addressing security in third party agreements

1

Enforcement Rule obligations for business associatesMaintaining compliance records and submitting reports to HHS when HHS requires such disclosures to determine whether a covered entity
or business associate is complying with HIPAA.
15.1.1 Identification of applicable legislation

1

Breach Notification Rule obligations for business associatesProviding a breach notification to its covered entity upon discovering a privacy or security “breach,” as defined under HIPAA, and
performing a risk assessment, in accordance with the final rule, when determining whether a breach has occurred.
13.1.1 Reporting information security events

1

TOTAL

70

If your organization has multiple compliance requirements (e.g., HIPAA, PCI-DSS, GLBA, etc.) then compliance with ISO 27001 and ISO 27002 can potentially help you simplify and centralize your overall compliance efforts.

ISO 27001 Roadmap ThumbnailISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times