Why do you need to comply with PCI if you’ve already taken care of HIPAA?
Some are required to comply with both HIPAA (Healthcare Information Portability and Accountability Act) and the PCI DSS (Payment Card Industry Data Security Standard), namely, covered entities and business associates that accept credit, debit, or other payment cards. Many believe if they are compliant with one, it covers the other.
HIPAA and PCI are two distinct and different sets of requirements. Each is specifically designed for different types of information. HIPAA was designed by government committees trying to protect citizen data. PCI was designed by a private industry to reduce fraud-related costs regarding loss of card data.
The PCI standards have gone through several clarifying iterations that create the current set of PCI requirements. These requirements are generally very specific and focused.
See also: What are the 12 requirements of PCI DSS Compliance?
Conversely, HIPAA regulations, even though they’ve existed for about as long, haven’t gone through a single iteration. Because they were created without a sound basis of the types of technology required to secure patient data, these standards are vague. Even after a thorough examination of the standard, it’s difficult to know what really must be implemented to meet each requirement.
While there is some overlap between the two, it is surprisingly not as much as one might expect.
Let me give an example.
HIPAA regulations never mention the word ‘firewall’ and instead include vague language such as “implement technical security measures to guard against unauthorized access...” What does that mean? Experienced security personnel can connect the dots and know it likely means firewall implementation. Covered entities, their office staff, and even lawyers probably wouldn’t be able to come to that conclusion on their own. On the opposing side, PCI has an entire section devoted to firewalls including frequency of firewall rule review, inbound/outbound restrictions, and so forth.
For those who learn best by facts and statistics, here are numeric comparisons to help clarify the disparity between HIPAA and PCI.
Each requirement usually requires multiple validation points. A validation point is specific evidence needed to support the appropriate implementation of the requirement. For example, interviewing management and reviewing policy documentation are two different validation points.
See also: Staying Compliant: Visa’s New Level 4 Requirements
I find that HIPAA assessors who have not performed PCI assessments typically don’t hold the overlapping HIPAA requirements to the higher, specific standards that a PCI assessor would.
If you are required to comply with both PCI and HIPAA mandates, you should understand they are distinct and require mostly different security procedures and protections. Just because you’re compliant with HIPAA, doesn’t mean your card processes are secure, and vise versa.
.svg)
