PCI and HIPAA Compliance Comparison

PCI and HIPAA Compliance Comparison

For organizations in healthcare-related industries, who both have access to PHI and accept credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance obligations. These overlaps and similarities can assist organizations with their risk assessments in order to avoid duplication and better mitigate the risk of a data breach.

In this comparison between PCI compliance and HIPAA compliance, we have used the PCI Data Security Standard v3.2 as our reference. Readers are advised to review the PCI Security Standards website periodically for updates to the Data Security Standard that may affect the accuracy of this PCI and HIPAA compliance comparison.

PCI and HIPAA Compliance Comparison – Introduction

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts credit card payments, or that stores, processes or transmits cardholder data and/or sensitive authentication data. Similarly, the Healthcare Insurance Portability and Accountability Act (HIPAA) applies to any organization that creates, stores, processes or transmits Protected Health Information.

As will be demonstrated in our PCI and HIPAA compliance comparison, there are many similarities between the PCI DSS and the physical, technical and administrative safeguards of the HIPAA Security Rule. In fact, by complying with some of the PCI compliance requirements (i.e. the encryption of data), organizations will automatically be complying with the encryption requirements within HIPAA.

PCI DSS Compliancy Requirements

On the current version of the PCI Data Security Standard (v3.2), there are twelve compliance requirements. These mirror security best practices that should be present in any organization managing sensitive data, should minimize the likelihood of a data breach using a combination of security mechanisms and security policies. The twelve requirements (with HIPAA compliance comparisons) are:

Install and maintain a firewall configuration to protect cardholder data.

Although the HIPAA Security Rule is “technology neutral”, a suitable firewall or UTM appliance should be the first line of defense against hackers and malicious software attempting to obtain Protected Health Information (PHI). In May 2013, Idaho State University was fined $400,000 for network security inadequacies that included the disconnection of a firewall protecting the ePHI of 17,500 patients.

Do not use vendor-supplied defaults for system passwords and other security parameters.

In HIPAA, passwords are covered within §164.308 of the Security Rule´s administrative safeguards. Individually identifiable passwords are not only required for monitoring access to ePHI, but training should be given to network users about creating complex passwords (to mitigate the risk of brute force attacks) and changing them as often as found necessary by the organization´s risk assessment.

Protect stored cardholder data.

Most organizations subject to HIPAA regulations will be aware they have an obligation to protect stored patient data, not only against unauthorized disclosure, but also against unauthorized amendment and deletion. Organizations should implement whatever security mechanisms are necessary to protect ePHI – whether it is stored on servers, mobile devices or in the cloud.

Encrypt transmission of cardholder data across open, public networks.

Although the HIPAA encryption requirements are an “addressable safeguard of the Security Rule, there are very few justifiable circumstances in which data encryption is not required. Should an organization fail to encrypt ePHI at rest and in transit, it has to record the reasons why in its risk assessments or obtain permission from individuals to store and communicate their PHI without it being encrypted.

Protect all systems against malware and regularly update antivirus software and programs.

A malware infection is regarded as a security incident under §164.304 of the HIPAA Security Rule and, once the infection is detected, organizations must initiate a security incident and response procedure. If there is the likelihood ePHI has been compromised, the incident must be reported to HHS OCR. Ideally, all systems should be protected against malware with the most suitable mechanisms to mitigate risk.

Develop and maintain secure systems and applications.

In a healthcare environment, this not only relates to electronically-stored ePHI, but physical PHI maintain in paper format or other media. The PCI requirement to develop and maintain secure systems and applications is an accurate description of all the requirements in the Security Rule´s technical, physical and administrative safeguards.

Restrict access to cardholder data by business need to know.

This PCI requirement is strikingly similar to the HIPAA Privacy Rule´s “minimum necessary” rule that stipulates organizations must make reasonable efforts to limit the disclosure of PHI to the minimum amount necessary in order to accomplish the intended purpose of the use, disclosure or request. This is particularly appropriate when Covered Entities are sharing PHI with Business Associates.

Identify and authenticate access to system components.

This wide-ranging requirement of PCI – when put into the context of a PCI and HIPAA compliance comparison – can mean everything from implementing secure messaging on mobile devices to implementing access controls to cloud-based data storage facilities. A comprehensive risk assessment will identify which system components require access and authentication controls.

Restrict physical access to cardholder data.

This standard could be interpreted as restricting physical access to ePHI as required by the HIPAA Security Rule §164.310. However, it could also be interpreted as preventing unauthorized personnel from viewing ePHI displayed on a computer monitor or EHR. Organizations should interpret this requirement with relevance to their own specific circumstances and record their conclusions in a risk assessment.

Track and monitor all access to network resources and cardholder data.

With regard to electronically-stored ePHI, this has a close similarity with the “addressable” validation procedures of the HIPAA Security Rule and the password management requirement. Password management and monitoring tools are available to assist compliance with this requirement; and, unless the tools are storing ePHI, no Business Associate Agreement needs to be in place to use them.

Regularly test security systems and processes.

Although the HIPAA Security Rule does not stipulate how frequently risk assessments should be conducted, the Office of National Coordinator recommends security systems and processes should be tested at least once a year, and whenever new technology is implemented or work practices change. If an organization is applying for Meaningful Use incentive payments, an annual test is required anyway.

Maintain a policy that addresses information security for all personnel.

As the HIPAA Security Rules stipulate policies must be created to demonstrate how organizations comply with each of the technical, physical and administrative safeguards, it is highly likely a policy has already been created by HIPAA Covered Entities to address information security. It is also important that a sanctions policy is implemented in order to advise users of the penalties for non-compliance.

PCI and HIPAA Compliance – Conclusion

Although there are many similarities between PCI and HIPAA compliance, because an organization complies with one set of regulations, it does not necessarily follow it complies with the other. For example, a HIPAA-compliant organization may have a justifiable and chronicled reason to avoid data encryption. The lack of encrypted data would make the organization non-compliant with PCI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.