HIPAA Compliance Comparison and PCI

For groups in healthcare-related sectors, who both have access to PHI and allow credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance needs. These overlaps and similarities can help groups with their risk assessments in order to avoid duplication and better minimize the risk of a data breach.

In this comparison between PCI compliance and HIPAA compliance, we have adapted the PCI Data Security Standard v3.2 as our reference point. Readers are advised to look over the PCI Security Standards website periodically for changes to the Data Security Standard that may affect the accuracy of this PCI and HIPAA compliance comparison.

PCI and HIPAA Compliance Comparison

The Payment Card Industry Data Security Standard (PCI DSS) applies to any groups that accepts credit card payments, or that stores, processes or sent cardholder data and/or sensitive authentication data. Similarly, the Healthcare Insurance Portability and Accountability Act (HIPAA) applies to any groups that creates, stores, processes, manages or transmits Protected Health Information.

As will beshown in our PCI and HIPAA compliance comparison, there are many similarities between the PCI DSS and the physical, technical and administrative security measures of the HIPAA Security Rule. In fact, by adhering with some of the PCI compliance requirements (i.e. the encryption of data), groups will automatically be complying with the encryption requirements within HIPAA.

Requirements for PCI DSS Compliancy

On the most recent version of the PCI Data Security Standard (v3.2), there are 12 compliance requirements. These mirror security best practices that should exist in any group managing sensitive data, should minimize the likelihood of a data breach using a combination of security mechanisms and security practices. The 12 requirements (with HIPAA compliance comparisons) are:

Download and maintain a firewall configuration to safeguard cardholder data.

Although the HIPAA Security Rule is “technology neutral”, an appropriate firewall or UTM appliance should be the first line of security from hackers and malicious software attempting to steal Protected Health Information (PHI).

Do not adapt vendor-supplied defaults for system passwords and other security purposes.

In HIPAA, passwords are covered in section §164.308 of the Security Rule´s administrative security measures. Individually identifiable passwords are not only necessary for monitoring access to ePHI, but training should be given to network users about forming complex passwords (to mitigate the risk of brute force attacks) and amending them as often as found necessary by the organization’s risk assessment.

Secure stored cardholder data.

Most groups subject to HIPAA regulations will be aware they have an obligation to secure stored patient data, not only against unauthorized disclosure, but also against unauthorized amendment and deletion. Groups should adapt whatever security mechanisms are necessary to safeguard ePHI – whether it is held on servers, mobile devices or in the cloud.

Encrypt transmission of cardholder data in all open, public networks.

Although the HIPAA encryption requirements are an “addressable safeguard” of the Security Rule, there are very few justifiable reason for not putting it in place. Should a group fail to encrypt ePHI at rest and in transit, it has to document the reasons why in its risk assessments or obtain permission from people to store and communicate their PHI without it being encrypted.

Safeguard all systems from malware and regularly update antivirus software and programs.

A malware infection is thought of  as a security incident under §164.304 of the HIPAA Security Rule and, once the infection is discovered, groups must initiate a security incident and response procedure. If there is a chance ePHI has been compromised, the incident must be reported to HHS OCR. Ideally, all systems should be safeguarded against malware with the most suitable mechanisms to lessen risk.

Develop and keep secure systems and applications.

In a healthcare system, this not only relates to electronically-stored ePHI, but physical PHI held in paper format or other media. The PCI requirement to develop and maintain secure systems and applications is an accurate description of all the necessary condition for the Security Rule’s technical, physical and administrative safeguards.

Limit access to cardholder data by business need to know.

This PCI requirement is very similar to the HIPAA Privacy Rule´s “minimum necessary” rule that states groups must make reasonable efforts to limit the disclosure of PHI to the minimum amount necessary in order to achieve the intended purpose of the use, disclosure or request. This is particularly relevant when Covered Entities are sharing PHI with Business Associates.

List and authenticate access to system components.

This wide-ranging requirement of PCI – when put into the context of a PCI and HIPAA compliance comparison – can mean anything from adapting secure messaging on mobile devices to putting in place g access controls to cloud-based data storage facilities. A thorough risk assessment will identify which system components require access and authentication controls.

Limit physical access to cardholder data.

This standard could be interpreted as limiting physical access to ePHI as required by the HIPAA Security Rule §164.310. However, it could also be interpreted as stopping unauthorized personnel from viewing ePHI displayed on a computer monitor or EHR. Groups should interpret this requirement with relevance to their own specific circumstances and record their conclusions in a risk assessment.

Track and overlook all access to network resources and cardholder data.

In relation to electronically-stored ePHI, this has a close similarity with the “addressable” validation processes of the HIPAA Security Rule and the password management requirement. Password management and monitoring tools are available to help compliance with this requirement; and, unless the tools are holding ePHI, no Business Associate Agreement needs to be in place to use them.

Regularly audit security systems and processes.

Although the HIPAA Security Rule does not state how frequently risk assessments should be carried out, the Office of National Coordinator recommends security systems and processes should be audited at least once annually, and whenever new technology is adapted or work practices change. If a group is applying for Meaningful Use incentive payments, an annual test is required regardless.

Have  a policy that addresses information security for all staff.

As the HIPAA Security Rules state policies must be set up to demonstrate how organizations comply with each of the technical, physical and administrative security measures it is highly likely a policy has already been created by HIPAA Covered Entities to deal with information security. It is also important that a sanctions policy is adapted in order to advise users of the penalties for non-compliance.

Although there is much common ground between PCI and HIPAA compliance, because a group complies with one set of rules, it does not necessarily follow it complies with the other. For instance, a HIPAA-compliant group may have a justifiable and chronicled reason to not use data encryption. The lack of encrypted data would make the organization non-compliant with PCI.

Furthermore, in the same way as different States have different legislation that can influence how some HIPAA requirements are enforced, each payment card brand (Visa, Mastercard, American Express, etc.) also has its own program for compliance, validation and enforcement.