Answer

Does ISO 27001 certification mean HIPAA and HITECH compliance?

If my organization is ISO 27001 certified, does that mean that we are HIPAA and HITECH compliant by default? What are the differences between the standards?

    Requires Free Membership to View

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)

The answer to your question is a resounding no. ISO 27001 certification and HIPAA/HITECH compliance are completely different programs with different goals and requirements.

ISO 27001 is a collection of information security management best practices published by the International Organization for Standardization (ISO). Organizations may choose to voluntarily adopt ISO 27001 and, if they wish, become ISO 27001 certified through an initial audit with follow-up compliance audits to maintain this certification. The requirements and associated audit scope for an ISO 27001 assessment cover information security best practices as broadly applied to an organization.

The Health Insurance Portability and Accountability Act (HIPAA) on the other hand, is a set of regulations that governs how covered entities manage the security, privacy and exchange of protected health information (PHI).

HIPAA differs from ISO 27001 in two major ways. First, ISO 27001 may be used to assess the information security practices of any scope of activities an organization conducts. HIPAA, on the other hand, relates specifically to regulated healthcare activities, and the covered entity has no discretion in determining the scope. Second, ISO 27001 only covers information security practices. HIPAA's Security Rule covers a similar range of controls, but HIPAA-covered entities must also comply with the Privacy Rule and the Electronic Data Interchange Rule -- two subjects ISO 27001 does not address.

The bottom line is that ISO 27001 compliance and/or certification will certainly help your HIPAA compliance efforts by providing a solid basis of information security practices. However, it is not sufficient to ensure ongoing compliance with the specific controls the HIPAA rules require.

This was first published in April 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: