HIPAA, like other regulatory requirements that focus on the control of and disclosure of information and retention or records (see ISO 23081) it is best focusing on control of processes that relate to product and services. HIPAA requires, simplified:
As many of the FDA regulations are being adopted internationally, the above pointers create a challenge for organizations within the medical - health sector, and these includes:
Also consider 21 CFR Part 11 which relates to electronic signature which requires of certifiable binding authority to electronic signature, proper to use as well; that it is unique to one individual, signature manifestation in a human readable form or biometrics, and requirements for multiple signings during continuous and non-continious periods of controlled access.
For effectiveness of the implementation and maintenance of 21 CFR Part 11, as well as related management requirements security is a must and provide for an audit trail (paper and e-media). Further, Quality Healthcare System (QHCS) is available for processes certification and fundamentals of effective and safe healthcare.
If your organization is ISO 9001 certified - registered, assure that is through a competent and reputable registration body whom interfaces directly with an accreditation body, see the list of reputable certification bodies.