HIPAA and PCI Compliance: The Overlap and Distinctions
While Electronic Medical Records (EMR)—also known as Electronic Health Records (EHR)—technically have a history dating back to the 1960s, efforts and advances have kicked into high gear over the past two decades to make electronic records the default over paper files in healthcare.
The results of mass adoption of EHRs are amazing, featuring benefits that include accurate and up-to-date information about patients at all times, easy access to patient records across different healthcare systems, the improvement of communications between primary care providers and specialists and so many other advantages that are changing and saving lives.
As patient healthcare data has increasingly made its way to the electronic realm in hospitals, clinics, private practices, and any other medical venues, IT leaders have had to simultaneously increase and tighten information security efforts.
These efforts include knowing and faithfully complying with rules, regulations and policies set forth by federal, state and local entities.
The cornerstone of Personal Health Information—also called Protected Health Information (PHI)—security relies heavily on the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
However, confidential patient information is not protected by HIPAA alone. Considering the number of healthcare consumers who pay for at least some portion of their basic medical care with credit and debit cards, the PCI DSS (Payment Card Industry Data Security Standard) is another invaluable tool that the healthcare industry uses to fight cybercriminals intent on gaining access to valuable and confidential patient files.
The Healthcare Industry Needs a Combination HIPAA And PCI To Protect Patient Information in The Electronic Age
While there is some overlap between HIPAA and PCI, they are individual regulations that protect healthcare consumer data. Therefore, any business leaders under the impression that the two are interchangeable—or that if they are fully compliant with one, they are automatically compliant with the other—are dangerously incorrect in that line of thinking.
It may help executives and IT leaders to learn more about the basics of HIPAA and PCI, as well as the overlap and distinctions associated the respective requirements of each.
HIPAA is made up of regulations set to protect the privacy and security of certain health information, as required by the U.S. Department of Health and Human Services (HHS). These requirements apply to any organization that creates, stores, processes or transmits PHI, whether an immediate healthcare provider, which is also referred to as a “covered entity,” or a third party service provider, which is also known as a Business Associate (BA). BAs include an outside CPA firm, law firm, medical transcriptionist, claims processor or a healthcare clearinghouse to take on specialized functions.
For all entities, covered entities and BAs, the foundation of HIPAA encompasses security, privacy and rights, safety, quality improvement and the elimination of fraud, waste and abuse. The Office of Civil Rights oversees the protocols that are continually maintained, updated and enforced by the HHS.
HIPAA features an intentionally vague set of requirements—leaving many of the details up to the covered entity or BA to sort out—but every entity with access to PHI must ensure the technical, physical and administrative safeguards are properly in place and adhered to, in relation to the HIPAA Privacy Rule and HIPAA Security Rule.
A few of the basic security compliance requirements for HIPAA may include risk analysis, remediation progress and periodic vulnerability scans.
Should a breach of PHI occur for a covered entity or BA, they should follow the procedures set forth in the HIPAA Breach Notification Rule, which requires them to notify any affected individuals, the U.S. Department of Health and Human Services and, in some cases, the media.
The PCI DSS is a much broader set of standards, which apply to any organization that accepts credit card payments or stores, processes or transmits confidential cardholder data and other sensitive authentic data.
An increasing number of Americans are using their credit and debit cards as payment—in part or in full—for basic healthcare needs. A credit or debit card might mean the difference between life and death for many patients, so it is important that healthcare providers allow for this payment option. However, it does create additional security obligations for covered entities and BAs.
By allowing this payment option, which certainly benefits healthcare providers by providing an additional payment collection avenue, they are obligated to adhere to any PCI DSS requirements to which any other type of business owner is obligated when accepting credit cards. Compliance with HIPAA standards is not sufficient for compliance with PCI DSS since their requirements differ.
PCI DSS Requirements
PCI DSS, according to its latest update, V3.2, the HIPAA Journal lists 12 distinct compliance requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open and public networks
- Protect all systems against malware and update antivirus software regularly
- Develop and maintain secure systems and applications
- Restrict access to cardholder data on a need-to-know basis
- Identify and authenticate access to system components
- Restrict physical access to cardholder data—again on a need-to-know basis
- Track and monitor access to network resources and cardholder data
- Regularly test security systems and processes with PCI-compliant penetration testing
- Develop and maintain a policy that addresses information security to provide to all personnel
So, Is There Overlap Between HIPAA and PCI?
There are certainly some similarities between HIPAA and PCI since they are both set to safeguard customer data. However, while their aim is the same, their paths often diverge. Following are a few of the overlapping points of the two:
- PCI serves as a strong framework and prescriptive guide for some of HIPAA’s technical safeguard requirements, which may sometimes come across as vague.
- With PCI’s firmly laid out requirements, it aligns with the HIPAA Security Rule; as far as both rules’ focus on meeting their respective compliance requirements.
- The consequences of non-compliance regarding either set of requirements can result in a data breach.
Learn More About the Differences and Similarities Between HIPAA And PCI DSS From Our Team of Experts
HIPAA and PCI DSS are essential tools for anyone working to combine efficiency, convenience and security when it comes to transactions and confidential patient information in the healthcare industry.
Our team at I.S. Partners, LLC. understands how much pressure anyone handling PHI is under as the caretaker of this data, and we want to make your work easier by helping you understand the nuances between both set of requirements and how you can maintain compliance with both.