Mapping the New HIPAA Omnibus Rule to ISO 27001

August 14, 2013

Last Updated on August 14, 2013

Recently one of our ISO 27001 certified clients called me because their clients had been asking them lately about whether they were compliant with the new HIPAA Omnibus Rule. This rule institutes sweeping changes in terms of what organizations must now comply with HIPAA, among a host of other major changes. Thus many companies must now ensure and attest that they are HIPAA compliant.
If your organization is ISO 27001 certified, you can potentially use the mapping that follows to show compliance with the latest HIPAA guidance. Here is the basic guidance on how to proceed:

Review your data security risks and make any necessary adjustments based on the risk of personal health information (PHI) being included in your data or the data you receive, store, process, transmit, etc. from your clients.
Identify the HIPAA security controls in place in your organization (based on the mapping of HIPAA to ISO 27001 as shown below).
Pinpoint any gaps between your security controls and HIPAA requirements for privacy, security and breach notification.
Update your risk treatment plan with any projects required to close gaps for HIPAA compliance based on a mapping of controls per the table below.

View our free ISO 27001 downloadable resources »

There are an estimated 70 controls in ISO 27002 that map to HIPAA safeguards. This information updates an earlier post on the Pivot Point Security website.

HIPAA Standards	HIPAA Implementation Specifications	ISO 27002 Security Clauses & Categories	Controls
Security Management Process	164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R)	5.1 INFORMATION SECURITY POLICY	2
Assigned Security Responsibility	164.308(a)(2)	6.1.3 Allocation of information security responsibilities	1
Workforce Security	164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A)	8 HUMAN RESOURCES SECURITY	8
Information Access Management	164.308(a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A)	11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL 11.2 USER ACCESS MANAGEMENT	5
Security Awareness and Training	164.308(a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A)	8.2.2 Information security awareness, education, and training 11.3.1 Password use	2
Security Incident Procedures	164.308(a)(6) Response and Reporting (R)	13 INFORMATION SECURITY INCIDENT MANAGEMENT	5
Contingency Plan	164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A)	14 BUSINESS CONTINUITY MANAGEMENT	5
Evaluation	164.308(a)(8)	15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE	2
Business Associate Contracts and Other Arrangement	164.308(b)(1) Written Contract or Other Arrangement (R)	N/A	0
Facility Access Controls	164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A)	9.1 SECURE AREAS	6
Workstation Use	164.310(b)	7.1.3 Acceptable use of assets	1
Workstation Security	164.310(c)	9.2 EQUIPMENT SECURITY	5
Device and Media Controls	164.310(d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)	7.1 RESPONSIBILITY FOR ASSETS 9.2.6 Secure disposal or re-use of equipment 9.2.7 Removal of property 10.5 BACK-UP 10.7 MEDIA HANDLING	8
Access Control	164.312(a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A)	11.5 OPERATING SYSTEM ACCESS CONTROL	6
Audit Controls	164.312(b)	15.3.1 Information systems audit controls	1
Integrity	164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)	12.2 CORRECT PROCESSING IN APPLICATIONS	4
Person or Entity Authentication	164.312(d)	11.4.2 User authentication for external connections 11.5.2 User identification and authentication	2
Transmission Security	164.312(e)(1) Integrity Controls (A) Encryption (A)	12.3 CRYPTOGRAPHIC CONTROLS	2
Privacy Rule obligations for business associates	Limiting uses or disclosures of PHI to only those (i) provided for within their business associate agreement or (ii) permitted or required under HIPAALimiting permissible disclosures or requests for disclosures of PHI to the minimum necessaryProviding an accounting of disclosures;Providing access to PHI kept in a designated record set for covered entities or individuals	15.1.4 Data protection and privacy of personal information	1
Privacy Rule obligations for business associates	Providing PHI to the U.S. Department of Health and Human Services (HHS) to demonstrate compliance during investigations	13.2.3 Collection of evidence	1
Privacy Rule obligations for business associates	Entering into business associate agreements with subcontractors that comply with the provisions governing business associate agreements between covered entities and business associates	6.2.3 Addressing security in third party agreements	1
Enforcement Rule obligations for business associates	Maintaining compliance records and submitting reports to HHS when HHS requires such disclosures to determine whether a covered entity or business associate is complying with HIPAA.	15.1.1 Identification of applicable legislation	1
Breach Notification Rule obligations for business associates	Providing a breach notification to its covered entity upon discovering a privacy or security “breach,” as defined under HIPAA, and performing a risk assessment, in accordance with the final rule, when determining whether a breach has occurred.	13.1.1 Reporting information security events	1
TOTAL			70

If your organization has multiple compliance requirements (e.g., HIPAA, PCI-DSS, GLBA, etc.) then compliance with ISO 27001 and ISO 27002 can potentially help you simplify and centralize your overall compliance efforts.

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Mapping the New HIPAA Omnibus Rule to ISO 27001

ISO 27001

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security