The results of mass adoption of EHRs and third-party integrations include accurate and up-to-date information about patients, secure access to patient records across healthcare systems, and more interoperability between primary care providers and specialists. As healthcare data has migrated to digital formate in hospitals, clinics, and private practices, IT leaders have had to simultaneously increase information security efforts.
These efforts include complying with regulations and policies set forth by federal and state entities. The cornerstone of patient privacy and PHI security is HIPAA. However, sensitive information is not protected by HIPAA alone.
Considering the number of healthcare consumers who pay for at least some portion of their basic medical care with credit and debit cards, the PCI DSS is another valuable tool that the healthcare industry uses to protect confidential patient files.
These are two distinct sets of compliance regulations, but there is some important overlap between HIPAA and PCI. Let’s look closer at how they work to protect healthcare consumer data in similar ways. And how your organization can take advantage of these overlaps to make the compliance process faster and less expensive.
Similarities Between the Healthcare and Credit Card Industries
The healthcare and credit card sectors rank as the second and third largest targets according to the sheer number of data breaches affected over the past several years. The nature and amount of information contained in EMR/EHR systems, as well as cardholder data, is extremely valuable to cyber attackers.
Hackers in pursuit of PHI and payment data are relentless and innovative, making it essential for covered entities and business associates alike to constantly evolve their cybersecurity efforts. That’s why data breaches continue to be a huge, costly factor in both of these sectors.
HIPAA vs. PCI: Key Differences
While both are vital to their industries, PCI DSS and HIPAA are not interchangeable. Explore these key similarities, differences and basic considerations you should know about HIPAA and PCI DSS and their compliance requirements:
- HIPAA has a broader and looser structure, featuring fewer explicit details than PCI DSS, leaving many of the implementation details to the provider to work out and decide.
- PCI DSS features finite security requirements while HIPAA covers a wider range of concerns of patient safety, the right to privacy, quality improvement and the elimination of fraud, abuse and waste.
- The blackmarket value of a health record, with even the most basic health insurance information, is 10-20 times higher than that of a U.S. credit card number complete with 3-digit CVV code.
- All covered entities, as well as their business associates, must comply with HIPAA.
- All business that process credit card transactions must comply with the standards set by the PCI DSS.
- Meaningful use, addressed in the Omnibus Rule of HIPAA under the HITECH Act, helps to address the most serious threats to ePHI, which include theft, loss and unauthorized access. PCI DSS does not address the concept of meaningful use.
HIPAA vs. PCI: Key Similarities
There are also some important similarities between HIPAA and PCI since they are both set to safeguard sensitive data.
- Similar to PCI DSS, HIPAA security compliance may include risk analysis, a remediation process, and periodic vulnerability scans.
- The consequences of non-compliance regarding both sets of requirements include fines for violations, penalties, and a higher risk for successful data breaches.
- Some system components deal with both PHI and account data.
- Common infrastructure components include antivirus software, log monitors, and active directories.
- Many of the controls overlap. See below.
Comparison of HIPAA and PCI DSS Controls
| Control | ✓ HIPAA | ✓ PCI |
| Risk Assessment | ✓ | ✓ |
| Information System Activity Review | ✓ | ✓ |
| Access Control and Access Management | ✓ | ✓ |
| Security Roles & Responsibilities | ✓ | ✓ |
| Workforce Security | ✓ | ✓ |
| Entry & Exit Process | ✓ | ✓ |
| Awareness & Training Program | ✓ | ✓ |
| Protection from Malware | ✓ | ✓ |
| Log-in Monitoring | ✓ | ✓ |
| Account & Password Management | ✓ | ✓ |
| Incident Response Plan | ✓ | ✓ |
| Transmission Security | ✓ | ✓ |
| Contingency Plan | ✓ | |
| Evaluation Program | ✓ | ✓ |
| Third-Party Security | ✓ | ✓ |
| Physical Security | ✓ | ✓ |
| Device & Media Control | ✓ | ✓ |
| Policies & Procedures Documentation | ✓ | ✓ |
| Integrity Protection | ✓ | |
| Denial of Service | ✓ | |
| Workstation Security | ✓ | ✓ |
| Standard Operating Procedures | ✓ | ✓ |
The Power of Combining PCI DSS and HIPAA
Many organizations today are required to comply with both PCI DSS and HIPAA/HITECH standards. Multiple standards efforts can mean, multiple processes, documentation, assessments, audits…doubling or tripling the time and effort needed to reach full IT compliance. But it doesn’t need to.
Working with an experienced IT auditor, it’s possible to take advantage of these regulatory overlaps. Framework mapping between PCI and HIPAA shows which evidence and tasks are redundant, enabling your team to cut out that extra work. Joining these frameworks will mean including both PHI and account data in the scope of a single assessment. Plus, PCI can serve as a strong framework and prescriptive guide for HIPAA requirement that are often considered vague.
The overall benefits of combined compliance efforts include:
- Decreasing the time needed to implement, test, assess, and audit common security measures.
- Decreasing oversight needed for multiple engagements.
- Increasing efficiency by using the strengths of both frameworks.
Get you HIPAA Compliance Checklist here.
Streamline HIPAA and PCI DSS Compliance
The PCI and HIPAA teams at I.S. Partners increasingly meet with businesses like yours that have to meet multiple sets of compliance requirements. Call us at (215) 631-3452 or send us a message to find out how we can help your organization do it faster and easier.
