PCI DSS (the Payment Card Industry Data Security Standard) and HIPAA (the Healthcare Information Portability and Accountability Act) are both vital to their respective industries. Both frameworks are crucial tools to help organizations comply with the respective guidelines.
HIPAA’s requirements serve to protect Protected Health Information (PHI) and Electronic Health Records (EHR) while PCI DSS concentrates on protected consumer credit card data. Both standards are highly effective in protecting the confidentiality of their patients and cardholders.
There are some points where the two standards intersect in their requirements and goals for security, but they are indeed two distinct standards that warrant a closer look at why they are necessary, what they do and the important differences between the two.
The Healthcare and Credit Card Industries Are Highly Attractive Marks for Hackers and Other Cybercriminals
Take a moment to consider the nature of data breaches over the past several years.
Although the healthcare industry comes in second—and the credit card industry comes in third—to the business industry for sheer number of data breaches, healthcare data has a special allure for cybercriminals.
The reason cybercriminals place such a premium on healthcare data? The nature and amount of information contained in each Electronic Health Record (EHR) is a goldmine. Compared to a credit card number, where a criminal can get the cardholder’s card number, a cybercriminal tapping into the EHR sphere of consumer information has the potential to steal a patient’s social security number, address and mother’s maiden name.
The very nature of EHR is intended to promote and improve the widespread sharing of patient data across different healthcare systems in the interest of convenience and better opportunity to save lives with instant access to vital information. Hackers in pursuit of PHI are relentless, innovative and continually ready to evolve their strategies, making it essential that HIPAA’s protections equally evolve to thwart cybercriminals’malicious efforts.
Unfortunately, but not surprisingly, the easy access to vital data is precisely why hackers find it so irresistible as well.
The risks are just as present and disruptive for the credit card industry, even if the stakes are not quite as high and the attacks are not as prevalent.
While the ill-gotten payoff to cybercriminals doesn’t yield as much as it does for PHI, credit card company data breaches are certainly still a huge and costly factor in consumer data protection.
The Basics of HIPAA
Enacted in 1996 to improve the efficiency and effectiveness of the healthcare industry by adopting national standards when performing electronic healthcare transactions. HIPAA also applies to code sets, unique identifiers and general security.
Further, understanding that the transmission of PHI over electronic media could result in a serious and quick erosion of the protection of identifiable patient data, the U.S. Congress added provisions to HIPAA that called for the adoption of federal privacy protections for PHI.
The U.S. Department of Health and Human Services (HHS) a series of rules to reflect the nature of the healthcare industry in its increasing reliance on EHR to store and transmit PHI, as well as the equally increasing threats against personally identifiable data under the care of healthcare facilities of all kinds.
The HHS Rules over the years include the following:
The Privacy Rule.
Published in December 2000 and modified in August 2002, this Rule included the Administrative Simplification Rules that set the national standards for identifiable health information.
The Security Rule.
Published in February 2003, the Security Rule set the national standards dedicated to the protection of the integrity, confidentiality and availability of electronic PHI (ePHI).
The Enforcement Rule.
This Rule set the standards to effectively enforce the Administration Simplification Rules.
The Final Omnibus Rule.
HHS enacted this Rule to implement a number of provisions regarding the Health Information Technology for Economic and Clinical Health (HITECH) Act, including finalizing the Breach Notification Rule. HITECH was enacted as a part of the American Recovery and Reinvestment Act of 2009 and was focused on the adoption of meaningful uses for health information technology.
The success of HIPAA greatly relies on consistent and complete compliance. One of the key ingredients to HIPAA compliance is providing staff training at every level to make sure everyone understands the importance of protecting PHI and the negative consequences of falling short of compliance.
The Basics of PCI DSS
The Payment Card Industry Security Standards Council (PCI SSC), which officially launched operations September 7, 2006, designed, developed and maintains PCI DSS. PCI SSC is an independent entity created by all the major credit card brands like American Express, Discover, Visa and MasterCard.
PCI DSS is a collection of security standards developed to ensure that any and all companies that accept, process, store or transmit credit card information maintain a secure computing environment. The PCI SSC manages the ongoing evolution of the credit card industry to mitigate the risks involved and to protect consumers.
This standard regularly undergoes reviews and updates to reflect the most up-to-date computing climate. The newly enforced PCI DSS v3.2 includes the Prioritized Approach, which breaks down the original 12 PCI DSS standard requirements into six milestones, which are:
- The removal of authentication data from network storage devices and limiting the amount of retained data.
- The protection of access points for systems and networks and responding to system breaches.
- The securing of payment card applications in application controls, servers and processes.
- The monitoring and controlling of authorized access.
- The protection of stored data with key protection mechanisms.
- The completion of all PCI DSS requirements, including finalizing related processes, procedures and policies.
Key Similarities and Differences You Should Know Between HIPAA Compliance and PCI DSS Compliance
It is already clear that there are some significant differences between these two highly important protective standards, respective to their industries. Since payment processing, particularly via credit cards, has become a mainstay of healthcare organizations, the two are already fundamentally intertwined. However, it is important to learn some of the finer differences to make sure you have everything covered.
Explore these key similarities, differences and basic considerations you should know about HIPAA and PCI DSS and their compliance requirements:
HIPAA has a broader and looser structure, featuring fewer explicit details than PCI DSS, leaving many of the implementation details to the provider to work out and decide.
- Credit card numbers are strictly meant to be secured while health records must be more malleable, meaning that they are to be exchanged, portable and, of course, secured.
- PCI DSS features finite requirements while HIPAA covers security, safety, privacy and rights, quality improvement and the elimination of fraud, abuse and waste.
- Similar to PCI DSS, HIPAA security compliance may include risk analysis, a remediation process and periodic vulnerability scans.
- The value of a health record with even the most basic health insurance information is 10-20 times more than that of a U.S. credit card that features a 3-digit CVV code.
- All covered entities, as well as their business associates, must comply with HIPAA.
- Meaningful use, addressed in the Omnibus Rule of HIPAA under the HITECH Act, helps to address the most serious threats to ePHI, which include theft, loss and unauthorized access. PCI DSS does not address the concept of meaningful use.
- While both are vital to their industries, PCI DSS and HIPAA are not interchangeable and should be treated as separate compliance endeavors.
Do You Need More Help Sorting Out the Finer Points of HIPAA and PCI DSS?
If you need to comply with both HIPAA and PCI DSS, which many companies increasingly are, you may need some additional help sorting out the purpose of each and how to ensure compliance.
Perhaps your organization serves as a business associate to a healthcare organization while you also must accept credit card payments and store customer data. In such a case, you certainly need to make sure you understand both standards and how you can completely comply with both. There are many reasons why you may need to comply with both standards.
Our PCI and HIPAA teams at I.S. Partners, LLC. increasingly meet with businesses like yours that have to meet one, more or multiple sets of requirements for compliance. It can easily become confusing, frustrating and time-consuming to work it all out on your own.
Call us at (215) 675-1400, send us a message or launch a chat session so we can get to work helping you learn more about PCI DSS, HIPAA and any other key standards you need to look out for to achieve compliance and peace of mind.