Here are a couple of tools that may help you in complying with the two main security and privacy regulations: HIPAA and a GDPR. HIPAA covers any identifiable data collected on patients in the USA, while the GDPR covers any identifiable data, medical or otherwise, collected under the jurisdiction of any of the EU states. That jurisdiction is rather broadly defined and hasn’t been completely vetted by the courts as of yet, but suffice it to say even companies that don’t have any active dealing in the EU may find themselves inadvertently covered by it in special circumstances. The good news is that conforming with either of them goes a long way towards conforming with the other.

Because neither of these two regulations are in the form of a standard they are not convenient for the normal Analysis/Requirements/Traceability process. To help with this the US Health and Human Services has developed a security risk assessment tool for HIPAA. The checklist we created is based on the individual items in that assessment tool, and it should be noted that this checklist is for information purposes only and is not presented as having any legal or regulatory standing. Don’t despair at the length of the checklist or the assessment tool itself. One line in a corporate policy or one product requirement may well satisfy a number of items on the checklist. Feel free to contact us if you would like to discuss further

On the GDPR side there is an independent organization, GDPR.EU that has compiled a checklist. We have taken this and converted into a table format, putting some of the hyperlinked  text in the table itself.