Last Updated on January 4, 2019Recently one of our ISO 27001 certified clients called me because their clients had been asking them lately about whether they were compliant with the new HIPAA Omnibus Rule. This rule institutes sweeping changes in terms of what organizations must now comply with HIPAA, among a host of other major changes. Thus many companies must now ensure and attest that they are HIPAA compliant.If your organization is ISO 27001 certified, you can potentially use the mapping that follows to show compliance with the latest HIPAA guidance. Here is the basic guidance on how to proceed:. Review your data security risks and make any necessary adjustments based on the risk of personal health information (PHI) being included in your data or the data you receive, store, process, transmit, etc.
Iso 27001 Control List
From your clients. Identify the HIPAA security controls in place in your organization (based on the mapping of HIPAA to ISO 27001 as shown below). Pinpoint any gaps between your security controls and HIPAA requirements for privacy, security and breach notification. Update your risk treatment plan with any projects required to close gaps for HIPAA compliance based on a mapping of controls per the table below. There are an estimated 70 controls in ISO 27002 that map to HIPAA safeguards. This information on the Pivot Point Security website.