Health Insurance Portability and Accountability Act

Since the mid-1990s, HIPAA has been more than just a buzz word in and around organizations and other entities who routinely deal with health information.

Part of this unique legislation is the HIPAA Privacy Rule which provides federal protections of personal health information. Requirements for HIPAA are defined in the Code of Federal Regulations (CFR) Title 45, Part 164.

They are divided into six categories:

  • Security standard
  • Administrative safeguard
  • Physical safeguard
  • Technical safeguard
  • Organizational requirements
  • Policies, procedures and documentation requirements

The HIPAA guidelines only provide very brief descriptions of the requirements. Organizations are responsible for interpreting the requirements and identifying appropriate controls to satisfy the requirements. This has been a major challenge for organizations. Some companies have discovered that the implementation of a management system according to ISO 27001 has helped to define and simplify processes in their compliance efforts.

ISO 27001 and HIPAA?

ISO 27001 specifies a management system that is intended to organize and control information security, which is at the core of the HIPAA legislation. In fact, ISO 27001 address approximately 95% of the requirements of HIPAA. The framework of ISO 27001 provides flexibility to organizations to select the controls that are applicable to their business. They can also add new controls to the management system that are not defined in ISO 27001 to address remaining 5% of HIPAA requirements. ISO 27001 provides a list of 133 controls in annexure. ISO 27002 provides guidelines on the implementation of the controls. As a result, it is much easier to implement ISO 27001.

Finally, there is no certification scheme available for HIPAA. Claims of compliance are based on self-assessment or assessments done by consultants. Credibility of these claims are often challenged, whereas ISO 27001 certificates are accredited by the American National Accreditation Board (ANAB). An organization with ISO 27001 certificate will have more credible evidence of HIPAA compliance.

Certifications Process

The process starts with the client’s needs and expectations. DQS wants to learn about the client’s organization, its management system, size and types of operation. Together both parties will define objectives for the assessment and/or certification, including applicable standards and specifications.

DQS will provide a detailed offer for assessment and certification services, tailored to individual client needs, based on the information provided initially. A written contract will specify all relevant deliverables as well as applicable assessment and certification criteria.

A pre-audit can serve as initial performance or gap analysis, identifying strengths and areas for improvement. For larger assessment and certification projects a project planning meeting provides a valuable opportunity for the client to meet the lead assessor and develop a customized assessment plan for all functions and locations involved. Both services are optional.

The assessment procedure itself begins with review and evaluation of system documentation, goals, results of management review and internal audits. During this process, it will be determined whether the client’s management system is sufficiently developed and ready for certification. The assessor will explain findings and coordinate any required activities to prepare for the on-site system assessment.

The assigned auditor team will audit the client’s management system at the place of production or service delivery. Applying defined management system standards and specifications, the assessment team will evaluate the effectiveness of all functional areas as well as all management system processes, based upon observations, inspections, interviews, review of pertinent records, and other assessment techniques. The audit result, including all findings will be presented to the client during the closing meeting. Required action plans will be agreed upon as necessary.

The independent certification function of DQS will evaluate the audit process and its results, and decide independently about issuance of the certificate. The client receives an audit report, documenting the audit results. When all applicable requirements are fulfilled the client also receives the certificate.

Either semi-annually or at least once per year, there will be an on-site audit of the critical components of the management system. Improvement potential will be identified, with a focus on continual improvement and sustained effectiveness.

A management system certificate is valid for a limited period of time, frequently for a maximum of three years. At the end of this cycle, a re-audit will be carried out to ensure the ongoing fulfillment of all applicable requirements. Subject to this fulfillment, a new certificate will be issued.

Why DQS?

DQS is one of the leading Management System Certification, Audits, Assessment & Training organization globally. 


Truly Global Brand


Expert Auditors with High Emotional Intelligence


Local Capabilities & Delivery


Industry Leaders


Customized, Comprehensive & Actionable Insights


Pioneering Innovative Solutions


Passion for Quality & Excellence


Integrity & Trust

Want to Know more?

Ph: (080) 6661-6565 | +91 924 320 3043 | E: Sales.Support@dqs-india.in