Which ISO standard directs how to protect Personal Health Information (PHI)?

The ISO standard that specifically addresses the protection of Personal Health Information (PHI) is ISO 27799. This standard is designed to provide guidelines for the management of health data and emphasizes the importance of protecting sensitive personal health information from risks such as breaches or unauthorized access. It offers a framework for the implementation of information security management practices tailored to the healthcare sector.

ISO 27799 takes into account the unique requirements of health information, including compliance with legal and regulatory obligations related to data protection, and is specifically aimed at organizations that deal with health-related personal data. Its recommendations help organizations ensure the confidentiality, integrity, and availability of health information, supporting safe practices in the management of personal health data.

In contrast, other ISO standards like ISO 27001 and ISO 27002 focus on broader information security management principles and controls, applicable across multiple sectors but not specific to healthcare. ISO 27005 is largely concerned with risk management in information security and does not specifically address health information. Therefore, ISO 27799 stands out as the dedicated standard for safeguarding personal health information.