August 14, 2013

Last Updated on August 14, 2013

Recently one of our ISO 27001 certified clients called me because their clients had been asking them lately about whether they were compliant with the new HIPAA Omnibus Rule. This rule institutes sweeping changes in terms of what organizations must now comply with HIPAA, among a host of other major changes. Thus many companies must now ensure and attest that they are HIPAA compliant.
If your organization is ISO 27001 certified, you can potentially use the mapping that follows to show compliance with the latest HIPAA guidance. Here is the basic guidance on how to proceed:

  1. Review your data security risks and make any necessary adjustments based on the risk of personal health information (PHI) being included in your data or the data you receive, store, process, transmit, etc. from your clients.
  2. Identify the HIPAA security controls in place in your organization (based on the mapping of HIPAA to ISO 27001 as shown below).
  3. Pinpoint any gaps between your security controls and HIPAA requirements for privacy, security and breach notification.
  4. Update your risk treatment plan with any projects required to close gaps for HIPAA compliance based on a mapping of controls per the table below.

There are an estimated 70 controls in ISO 27002 that map to HIPAA safeguards. This information updates an earlier post on the Pivot Point Security website.

HIPAA Standards HIPAA Implementation Specifications ISO 27002 Security Clauses & Categories

Controls

Security Management Process 164.308(a)(1)
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
5.1 INFORMATION SECURITY POLICY

2

Assigned Security Responsibility 164.308(a)(2) 6.1.3 Allocation of information security responsibilities

1

Workforce Security 164.308(a)(3)
Authorization and/or Supervision (A)
Workforce Clearance Procedure
Termination Procedures (A)
8 HUMAN RESOURCES SECURITY

8

Information Access Management 164.308(a)(4)
Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL
11.2 USER ACCESS MANAGEMENT

5

Security Awareness and Training 164.308(a)(5)
Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
8.2.2 Information security awareness, education, and training
11.3.1 Password use

2

Security Incident Procedures 164.308(a)(6)
Response and Reporting (R)
13 INFORMATION SECURITY INCIDENT MANAGEMENT

5

Contingency Plan 164.308(a)(7)
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
14 BUSINESS CONTINUITY MANAGEMENT

5

Evaluation 164.308(a)(8) 15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE

2

Business Associate Contracts and Other Arrangement 164.308(b)(1)
Written Contract or Other Arrangement (R)
N/A

0

Facility Access Controls 164.310(a)(1)
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
9.1 SECURE AREAS

6

Workstation Use 164.310(b) 7.1.3 Acceptable use of assets

1

Workstation Security 164.310(c) 9.2 EQUIPMENT SECURITY

5

Device and Media Controls 164.310(d)(1)
Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
7.1 RESPONSIBILITY FOR ASSETS
9.2.6 Secure disposal or re-use of equipment
9.2.7 Removal of property
10.5 BACK-UP
10.7 MEDIA HANDLING

8

Access Control 164.312(a)(1)
Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
11.5 OPERATING SYSTEM ACCESS CONTROL

6

Audit Controls 164.312(b) 15.3.1 Information systems audit controls

1

Integrity 164.312(c)(1)
Mechanism to Authenticate Electronic Protected Health Information (A)
12.2 CORRECT PROCESSING IN APPLICATIONS

4

Person or Entity Authentication 164.312(d) 11.4.2 User authentication for external connections
11.5.2 User identification and authentication

2

Transmission Security 164.312(e)(1)
Integrity Controls (A)
Encryption (A)
12.3 CRYPTOGRAPHIC CONTROLS

2

Privacy Rule obligations for business associates Limiting uses or disclosures of PHI to only those (i) provided for within their business associate agreement or (ii) permitted or
required under HIPAALimiting permissible disclosures or requests for disclosures of PHI to the minimum necessaryProviding an accounting of disclosures;Providing access to PHI kept in a designated record set for covered entities or individuals
15.1.4 Data protection and privacy of personal information

1

Privacy Rule obligations for business associates Providing PHI to the U.S. Department of Health and Human Services (HHS) to demonstrate compliance during investigations 13.2.3 Collection of evidence

1

Privacy Rule obligations for business associates Entering into business associate agreements with subcontractors that comply with the provisions governing business associate agreements
between covered entities and business associates
6.2.3 Addressing security in third party agreements

1

Enforcement Rule obligations for business associates Maintaining compliance records and submitting reports to HHS when HHS requires such disclosures to determine whether a covered entity
or business associate is complying with HIPAA.
15.1.1 Identification of applicable legislation

1

Breach Notification Rule obligations for business associates Providing a breach notification to its covered entity upon discovering a privacy or security “breach,” as defined under HIPAA, and
performing a risk assessment, in accordance with the final rule, when determining whether a breach has occurred.
13.1.1 Reporting information security events

1

TOTAL

70

If your organization has multiple compliance requirements (e.g., HIPAA, PCI-DSS, GLBA, etc.) then compliance with ISO 27001 and ISO 27002 can potentially help you simplify and centralize your overall compliance efforts.