Find Colocation, Dedicated Servers & Cloud Hosting:
Call Now (888) 400-5732

HIPAA vs. ISO 27001 vs. PCI Compliance: The Ultimate Guide

Posted by QuoteColo on June 16, 2016 - Updated on January 29, 2020

Picture10There are more than a few sets of compliance standards out there that businesses must comply with, but they’re not all the same. In addition, different sets of standards apply to businesses in different industries, and not necessarily across the board. Three of the most frequently confused standards sets are HIPAA, ISO 27001 and PCI-DSS. Are they the same thing? Are they even similar? Do they all apply to your organization? Let’s take a closer look.

HIPAA Compliance

HIPAA stands for the Health Insurance Portability and Accountability Act, and it pertains only to businesses and organizations that deal with patient health information in some way. This goes well beyond hospitals, medical clinics and physician offices, though. Insurance companies, medical clearing houses and other businesses, as well as their business associates that deal with medical data in some way, are bound by HIPAA and HITECH. Note that for these organizations, HIPAA standards are absolutely mandatory, and the government (through the DHHS and OCR) is now enforcing stringent requirements and investigating breaches. HIPAA focuses more on the general handling of patient medical information, with the HITECH Act providing the rules for handling EMR (electronic medical records) and IT security within medical or health care organizations. Finally, HIPAA only applies to businesses in the United States, as it is a set of US federal guidelines.

ISO 27001

ISO 27001 is a set of information security standards published by the International Organization for Standardization. This is a set of general guidelines designed to help create a more secure infrastructure to protect internal data. It is not concerned with health information (it can apply to any business in any industry), and is not mandatory. With that being said, there are some similarities between HIPAA and ISO 27001, as both deal with creating a strong management system with oversight and redundancy. ISO 27001 does not have any national alignment, and can (and should) be adopted by businesses around the world. However, note that many US companies still use SAS 70, even though this is an older set of requirements that predates ISO 27001. It’s also important to note that ISO 27001 and ISO 27002 are designed to work in tandem, with one being the set of standards, and the other being a set of best practices detailing how to ensure standards are actually met.


PCI-DSS is a set of guidelines issued by the payment card industry and applies to businesses that work with consumer credit card information. The standards apply to organizations in North America and Europe, and compliance with these rules is mandatory for any business that holds, stores, analyzes or otherwise uses cardholder information. PCI compliance requires stringent adherence to this set of standards within the organization in question, but it also applies to the business’ IT infrastructure, including the company’s servers (in-house or outsourced to another data center), website, shopping cart and more. The entire focus here is on protecting consumer cardholder information, rather than all electronic records. PCI-DSS shares a number of similarities with the other two sets of standards, but they are not identical and PCI compliance does not guarantee HIPAA or ISO 27001 compliance.

How to Choose the Right Path Forward?

So, how do you choose the right set of standards for your organization? Should you adhere to more than one set? Actually, many organizations will find that not only can they benefit from following two sets of standards, but in some instances, it’s a requirement.

The first step is to determine which set of standards applies to you due to your industry. If your organization handles patient medical information in any way, then HIPAA definitely applies to you. However, chances are good that you also process credit card information (for co-pays, for patients with no insurance, etc.). In this instance, both HIPAA and PCI-DSS would apply. And, while they’re both similar and mapping the requirements will show you where they overlap, they don’t match up perfectly. The best option is to map the requirements, become HIPAA compliant, and then ensure PCI compliance.

Where does that leave ISO 27001? Actually, because this is not a mandatory set of requirements, you may be able to safely ignore them (unless you’re actively trying to build a stronger, more robust IT infrastructure, which benefits any business). If your organization is based in the US and doesn’t do business with international partners or clients, SAS 70 might be a better option. It’s also important to note that unlike HIPAA and PCI, the actual individual standards that comprise ISO 27001 are not free to access. You’ll need to purchase the set from the ISO website (as well as ISO 27002 to ensure that you have the list of best practices to help with implementing the standards).

Finally, it’s important to remember that internal compliance is not enough. Third party assurance of compliance is required. HIPAA/HITECH requires both internal and external audits to ensure ongoing compliance, and PCI also requires third party audits. ISO 27001 mandates that your organization be audited by an outside partner, as well. Not only is this necessary to ensure that your organization is complying with the current standards, but to make sure that you keep up with changes to those standards as they evolve over time. For instance, organizations that complied with the original HIPAA standards found that the more recent HIPAA omnibus rule instituted sweeping changes, and they had a lot of work to become compliant with the new standards.

Many organizations find that mapping requirements and complying with standards for any or all of these rules is a very real challenge. To speed the process and guarantee better results, most turn to a third-party provider to help create a detailed plan for compliance and then institute the changes needed to move forward. And, always remember that compliance with one set of standards does not guarantee compliance with another.

Categories: Web Services

What Do You Think?