Worried About HIPAA Revisions? Here’s where SOC, PCI, and ISO may have you covered
While HIPAA will celebrate its 30th birthday next year, the healthcare rule for data privacy made headlines this January for its proposed changes. The Department of Health and Human Services (HHS) proposed significant changes to the HIPAA Security Rule, which may impact organizations’ ability to achieve HIPAA compliance in the future.
While the proposed changes would likely go into effect in 2026, the more stringent requirements will cause some organizations to reevaluate their security and privacy practices to remain compliant.
Luckily, for companies that maintain multiple compliance frameworks alongside their HIPAA compliance, we have good news: many of the “new” HIPAA requirements map to existing requirements you already address. Here’s a sample of Tevora’s breakdowns of some of the overlap between the “new” HIPAA requirements and other frameworks.
New Document Requirements
| New HIPAA Requirement | PCI | ISO 27001 | SOC 2 |
| Asset Inventories and Data Flow Diagrams: Organizations will be required to maintain a written inventory of technology assets and a network map that illustrates the movement of electronic protected health information (ePHI) throughout their systems. This documentation must be updated at least annually and whenever there are significant changes to the environment. | Asset Inventories required in PCI [12.5.1] Data Flow Diagrams required in PCI [1.2.4] | Asset Inventories required in ISO 27001 [A5.9] | Asset Inventories required in SOC 2 [CC6.1] Data Flow Diagrams best practice in SOC 2 [CC2.1] |
| Enhanced Risk Analysis: The risk analysis process will need to be more specific, including a written assessment that identifies all reasonably anticipated threats, potential vulnerabilities, and the security measures in place to protect ePHI2. This analysis must also consider evolving threats like ransomware and supply chain vulnerabilities. | Enhanced Risk Analysis required in ISO 27001 [8.2] | Enhanced Risk Analysis required in SOC 2 [CC3] |
Multi-Factor Authentication (MFA) and Enhanced Encryption Standards
| New HIPAA Requirement | PCI | ISO 27001 | SOC 2 |
| MFA: Organizations will need to implement MFA for accessing systems that contain ePHI. This additional layer of security helps prevent unauthorized access, even if passwords are compromised. | MFA required in PCI [throughout requirement 8] | MFA required in SOC 2 [CC6.1] | |
| Enhanced Encryption: The rule proposes stricter encryption standards to protect ePHI both in transit and at rest. This ensures that sensitive information remains secure, even if intercepted by malicious actors. | Enhanced Encryption required in PCI [requirement 3 and 4] | Enhanced Encryption required in ISO 27001 [A8.1.2] | Enhanced Encryption required in SOC 2 [CC6.1 and CC6.7] |
Comprehensive Documentation of Risk Management Activities
| New HIPAA Requirement | PCI | ISO 27001 | SOC 2 |
| Risk Management Plans: Organizations must develop and maintain detailed risk management plans that outline the measures taken to mitigate identified risks. | Risk Management Plans required in ISO 27001 [such as 6.1.3, and 8.3] | Risk Management Plans required in SOC 2 [CC3] | |
| Change Management Controls: The rule introduces requirements for technical and non-technical evaluations prior to changes in the entity’s environment. This ensures that any modifications do not inadvertently introduce new vulnerabilities. | Change Management Controls required in PCI [throughout requirement 6] | Change Management Controls required in ISO 27001 [e.g. 8.3.2] | Change Management Controls required in SOC 2 [CC8.1] |
Assessments of Third-Party Vendors
| New HIPAA Requirement | PCI | ISO 27001 | SOC 2 |
| Vendor Assessments:* Organizations must conduct thorough assessments of their third-party vendors to ensure they comply with HIPAA requirements. This includes evaluating their security controls, policies, and procedures. | Vendor Assessments required in PCI [12.8.4] | Vendor Assessments required in ISO 27001 [A5.22] | Vendor Assessments required in SOC 2 [CC8.1] |
| Ongoing Monitoring:* Regular monitoring of third-party vendors is essential to ensure continued compliance and address any emerging risks. | Ongoing Monitoring required in PCI [12.8.4] | Ongoing Monitoring required in ISO 27001 [A5.22] | Ongoing Monitoring required in SOC 2 [CC9.2] |
* Vendor Management must now include specific callout to review their adherence to HIPAA requirements.
What Next?
While the changes to HIPAA are not finalized, organizations concerned about their compliance should begin their evaluations as soon as possible. Since the goal is enhancing protections around ePHI, the changes are expected to be a net gain in securing information from leakages or security breaches.
For more information on whether your organization may be impacted by these changes in HIPAA requirements, please reach out to Tevora at sales@tevora.com.
