Additional controls

We had a situation in the recent surveillance audit and appreciate your input here.
One of our company's division handles non-voice KPO and it was certified for ISO 27001:2013 standard during May 2015 (Certification Upgrade Audit). However now we added a chunk of Heathcare domain to our KPO division. We connect to the customer's machines through VPN and process the records (no data is copied to our local machines) and the KPO bay is 'no mobile - no paper' zone. However just to track the progress of records we process, the team lead types the client's name in an excel sheet maintained in local machine followed by start date , target date of completion and to whom it is assigned.
Would like to know if I need to add any HIPPA control to my SOA in these scenarios. Can we use client's name alone in local machine for tracking ? what is the HIPPA Control when work is outsourced ?
P.S: The MSA says a generic statement " All relevant HIPPA Controls are applicable" But didn't say explicitly anything.
 

Answer:

Regarding the compliant with ISO 27001:2013 it is not strictly necessary to implement additional controls, I mean, with the 114 controls of the Annex A of the standard is enough, although the implementation of additional controls –for example controls related to HIPAA- can be a best practice. 
But if HIPAA applies to your business, effectively you can include controls related to this standard in the SoA of ISO 27001, so in this case you can have an unique ISMS with the controls of both standards.
Regarding the use of client’s name alone in local machine, it is related to personal data, and depending of your country, a specific regulation can be apply, but generally you can use this information applying security controls established by the regulation of your country. Anyway, ISO 27001:2013 has in the Annex A the control "A.18.1.4 Privacy and protection of personally identifiable information", for the protection of this type of data. This article about the regulations and laws of many countries related to information security can be interesting for you “Laws and regulations on information security and business continuity” : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Regarding your last question, I am sorry but I am not expert in HIPAA but from my point of view if you have an external provider who is working with information protected by HIPAA, this provider need to apply controls of this standard.
You can find more information of HIPAA on the official site of U.S. Department of Health & Human Services : https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html