HIPAA Compliance and PCI Compliance (PCI vs HIPAA)
Although they overlap in several categories, being compliant with HIPAA and with PCI are two different qualifications when you’re running a website. Assuming that you’re filling the needs of both just because you’ve had the approval of compliance with one or the other can have long-term ramifications that see you in violation with their governing bodies or putting your client bases at risk for exposure or theft of information.
Any website that contains health information, but also accepts payment via credit cards, debit cards, or any other kind of payment card must be PCI compliant and HIPAA compliant. This blog will break down the similarities and differences between the two forms of compliance in order to paint a clearer picture of how to fill the requirements of both.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all companies that accept or store credit card payments, cardholder data, or any authentication data. The current version of the PCI DSS has 12 requirements for compliance. Most of these fall into the “common” sense way of thinking, while HIPAA requirements are often a lot more specific and binding.
PCI and HIPAA Similarities
- Both require a data security policy that all employees must learn and adhere to at all times. PCI calls it data, HIPAA refers to it as information, but they are birds of a feather. This includes training updates as time progresses and onboarding a new employee join the workplace. Individual failures to keep data secure blowback directly to the company.
- Both compliance rule sets demand that access to data and network resources is constantly monitored. For PCI, this is specifically for cardholder data. HIPAA uses a password management system which limits access and also shows exactly who accessed what data and when it was accessed. It’s a good indicator of just how deadly serious healthcare firms take data breaches. The way the security is set up, it takes about two seconds to figure out which employee ID card was used to access something.
- PCI demands that companies manage physical access to financial and personal data. This mandate is right in line with HIPAA’s security rule regarding physical access to electronic protected health information (ePHI). Physical access itself can be a bit harder to quantify in the all-digital realm. It could mean not having access to the environment where the actual machine is kept that houses the data, or it can mean not being able to view said information on a screen, especially if it can be connected to a printer.
- PCI requires companies to identify/authenticate access to the system. Remote access to company infrastructure is a godsend to some companies, but a frightening prospect for others. When users log on from somewhere other than a protected network, they can risk exposure to hacker and cyber-criminals spying to see what sort of traffic they can intercept. HIPAA has similar terminology in place and favours two-factor authentication for its security, making systems infinitely more difficult to break into than a simple username and password combination.
- PCI requires companies to restrict access on a need-to-know basis. This is very similar to the HIPAA “minimum necessary” policy that says companies should limit releasing ePHI except for the exact purpose that each outside vendor needs. The terms are different, but the meaning is the same. Don’t allow any vendor to see any restricted data unless absolutely necessary. Some of the worst hacks in history have come as a result.
- Both PCI and HIPAA require companies to maintain a secure environment. The most obvious requests, it covers the digital component of companies as well as the physical storage of records and the way in which data is administered.
- Create unique, extensive passwords and security options. There have been significant, recorded moments in history when major companies suffered data breaches because they never set up original passwords after installing third-party security apps and not changing the default password. For both PCI and HIPAA compliance, it is an absolute must to train personnel and require changes in passwords periodically to minimize the risk of stolen material.
- Use a firewall. Think firewalls are too “plain jane” to be part of your organization’s security detail? Idaho State University disabled the firewall at the Pocatello Family Medicine Clinic for 10 months, exposing the health records of 17,500 patients back in 2011. The Office for Civil Rights levied a $400,000 fine. Firewalls catch all of the less-sophisticated attempts to enter your system and do it in a way that they can recognize similar attempts in the future and move quickly to stop them. When dealing with medical or financial information, every potential attack should be taken as serious no matter how big or small it is.
PCI and HIPAA Differences
- HIPAA compliant companies must pass an annual test on their security systems. The federal government provides a free Security Risk Assessment Tool to give companies a chance to evaluate their security before each year’s test. PCI’s definition of testing is a lot more liberal, companies are advised to test security systems and processes regularly. “Regularly” is a subjective word, but organizational suggestions include once a year, or when new hardware or technology is added to the mix.
- PCI requirements insist companies protect against malware with constantly updated antivirus kits. HIPAA compliance goes a step farther, saying organizations must counter by launching a security incident and following a precise series of response.
- Encryption of data: The PCI regulations state this must be done on “open, public networks”, but experts think a more wide-ranging policy should be in place with maximum encryption protection at all time. Indeed while HIPAA regulations say encryption should be used when “deemed appropriate”, most take this to mean any sort of out-of-network communication. Both are subject to interpretation by the companies charged with maintaining them.
- Protect stored data. For PCI, this is a very straightforward process. For HIPAA compliance, this doesn’t just mean for protection against theft, but also protection against unauthorized editing or deletion, which can be just as damaging to the individual. This goes beyond the more simple – to a degree at least – protection of cardholder data from accidental release or theft.