HIPAA and PCI: Variations on Data Security

HIPAA and PCI: Variations on Data Security

Posted on 05.24.2016 by Laurie Nelson under Compliance

It’s easy to assume that compliance with HIPAA (Health Insurance Portability and Accountability Act) also means compliance with the PCI DSS (Payment Card Industry Data Security Standard) standards. For data security personnel, however, assuming the two are the same without understanding their distinct specificities could mean the loss of client data, fines and jail time. People who work with elements of each will find it’s an easier task if they have a strong comprehension of the systems’ separate origins and how they work together and apart.

Why Data Security?

Controlling digital access to commercial data banks is a critical component of both plans for two primary reasons:

  • Theft of digital information is easier to accomplish because thieves don’t need physical proximity to get it. Data banks can be hacked from anywhere in the world, making them much more vulnerable to security breaches than brick-and-mortar vaults and safes.
  • Stealing digital data can be done with much more stealth than necessary for taking actual documents. Duplication of digital data can happen with no paper trail or residual evidence and, even worse, no disruption of service. Often, the theft is discovered only after the thieves have rifled the accounts of unsuspecting consumers.

Why Two Sets of Standards?

Both HIPAA and PCI control access to digital data. However, each security standard protects different classes of information. HIPAA was developed to protect private health information held by thousands of American health-care entities on behalf of millions of their patients and customers. A U.S. federal law, the rules were established by government policy and are overseen by the Office of Civil Rights and the Department of Health and Human Services. An audit of corporate records by KPMG, the government’s selected HIPAA auditor, confirms compliance with HIPAA.

Conversely, a global group of commercial financial-services vendors (including Visa, MasterCard, American Express, Discover and JCB International) established the PCI DSS to protect their customers’ private financial information. Any vendor that elects to accept their cards and financial processing systems agrees contractually to comply with the technical security requirements. These rules affect millions of merchants around the world, not just those in America. The PCI Security Standards Council oversees standards activities and sets and reviews the technical requirements that demonstrate compliance. Noncompliance can result in fines and loss of processing privileges.

How Do the Rules Differ?

Variable Versus Fixed Processes

HIPAA requires that each enterprise handling protected health information (PHI) must establish a risk assessment and management plan that details how it secures its customers’ PHI. The entity is given authority to select and design the systems and technology it will use to accomplish that plan. HIPAA rules also apply to entities associated with the health-care provider (Business Associates) if those entities have access to PHI data.

On the other hand, the PCI DSS set out precise definitions and explicit technical requirements that every merchant using the technology must follow when managing consumer financial transactions.

Extent of Regulation

PCI specifies much more data security detail. Together, HIPAA’s three data-oversight processes — security, breach and privacy — contain 157 requirements and 535 validation points. The single set of PCI 2.0 standards contains 292 requirements with 1,030 validation points.

Overlap

Because each system measures different capacities, the requirements are decidedly distinct from each other. PCI standards cover none of HIPAA’s breach or privacy requirements. Entities that rely solely on PCI standards to comply with HIPAA standards are open to sanctions. For security requirements, PCI covers only 70 of HIPAA’s 254 validation points, and HIPAA covers only 316 of PCI’s 1,030 validation points.

Consequences of Noncompliance

Failing a HIPAA audit has much more severe consequences than failing a PCI review. Because it is a federal law, HIPAA is enforceable by law enforcement agencies, and breaches can carry both criminal and civil penalties, including prison time and fines.

For compliance issues, PCI personnel assess corporate digital security processes to ensure they are in compliance with the PCI technical standards. Members can impose penalties or fines when merchants using their cards are in breach. For example, Visa responded to 2015’s many large commercial data breaches by tightening controls on its affiliated dealers. If assessed as noncompliant, vendors that accept Visa cards can be fined as much as US$50,000 for their first offense, and as much as $200,000 for their third or subsequent offenses. Removal from Visa’s Global Registry of Services Providers is also a punitive option.

Where Do They Merge?

Companies that have access to both PHI and financial data are required to be in compliance with both sets of digital security rules simultaneously. Large corporations are not allowed to delegate their liability for breaches to their financial services subcontractors. However, HIPAA applies only to entities that are under the jurisdiction of the laws of the United States, regardless of their global location. PCI rules apply anywhere in the world payment cards are accepted and to every merchant that elects to accept them. Therefore, both sets of rules apply within the United States.

Regarding individual industries, not all companies that accept payment cards for services offer or provide health-care services. These companies must comply with PCI standards if they choose to accept PCI cards for payment. They are not subject to HIPAA regulations.

These days, compromised data can ruin the lives of consumers, suppliers, providers and everyone in-between. Together HIPAA and PCI provide safeguards to keep the losses caused by digital breaches of health-care and financial information to a minimum.