HIPAA Compliance vs. PCI DSS

PCI DSS HIPAA Compliance

With security, there are important laws to abide by and even more acronyms to know. When accepting online payments, Payment Card Industry Data Security (PCI DSS) comes into play to improve the security of credit card transactions and protect individuals against misuse of their personal information. Sounds like HIPAA, right?

Many people tend to think if their business adheres to one set of requirements then they are following the other. This is not necessarily true – these are two different sets of requirements created for two different purposes. Let’s review both and learn how to comply, depending on the needs of your business. 

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) covers entities and their business associates that accept payment in the form of credit, debit, or other types of cards. This includes all types of businesses, not just those in healthcare. Although the PCI has gone through several versions over the years, these are the twelve specific requirements:

  1. Protect your system with firewalls
  2. Configure passwords and specific settings 
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software
  6. Regularly update and patch current systems
  7. Restrict access to cardholder data to a business need-to-know basis
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to workplace and cardholder data
  10. Implement logging and log management 
  11. Conduct vulnerability scans and penetration tests
  12. Complete documentation and risk assessments

These 12 components are the basics of compliance, however each business will need to complete a Self-assessment Questionnaire (SAQ) based on their business needs.

Why do you need to comply with PCI if you are already HIPAA compliant?

HIPAA deals specifically with protected health information (PHI) , which is defined as the following 18 identifiers:

  1. Names
  2. Geographic identifiers smaller than a state, excepting the last three digits of a zip code
  3. Dates related to the individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device identifiers and serial numbers
  14. Web URLS
  15. IP address numbers
  16. Biometric identifiers – fingerprints, retinal, and voice prints
  17. Full face photographic images
  18. Any other unique identifying number, characteristic, or code

In general, HIPAA privacy and security rules, as well as HITECH, use broader terminology and more vague language.  PCI DSS is much more specific.  For example, PCI regulations use the word “firewall”, while HIPAA uses the seemingly more vague “implement technical security measures to guard against unauthorized access.” PCI is considered the higher, more specific set of standards.  Therefore, entities that comply with HIPAA do not necessarily meet the PCI standards and would need a thorough assessment. 

You may notice that credit card numbers and other payment forms are not specifically included in the above list for PHI, with the possible exception of the umbrella “any other number” listed as number 18.  PCI regulations specifically address payment methods and how they may be stored and transmitted. 

Similarities between HIPAA and PCI

Although the two sets of regulations are designed for different purposes, there remains some overlap. Businesses should not mistake this as automatic compliance and should examine each instance of overlap to confirm compliance. 

By the numbers:

  • HIPAA privacy rule contains 281 validation points.  The security rule contains 254 validation points. Only 70 of these overlap with PCI.
  • PCI DSS contains 1030 validation points. Only 316 of them overlap with HIPAA.

In the big picture, HIPAA-covered entities who also accept credit card payments under PCI DSS should treat these as two separate sets of regulations. Looking for connections and shortcuts between the two can lead to confusion and non-compliance. 

FormDr. specializes in HIPAA compliant electronic forms, and also understands the more detailed information involved with PCI compliance. Questions?  Contact us today.