PCI Compliance Versus HIPAA Compliance In Healthcare
Maintaining PCI compliance and HIPAA compliance can help healthcare organizations protect all forms of patient data, from medical information to credit card numbers.
The Payment Card Industry Data Security Standard (PCI DSS) and HIPAA both protect data in different domains. Just as HIPAA safeguards protected health information (PHI), PCI standards aim to protect credit card data. Since healthcare entities typically handle both PHI and financial data, they are responsible for both PCI compliance and HIPAA compliance.
To John Talaga, EVP of healthcare at Flywire, and David King, Flywire’s CTO, PCI standards and HIPAA intersect due to their shared interest in protecting sensitive data. The combination of healthcare data and credit card data create a target-rich environment that draws in cybercriminals.
While most healthcare professionals are well-versed in HIPAA, there are some common misconceptions about the role of PCI standards and who is responsible for maintaining compliance.
“PCI is really about people, process, and technology,” King reasoned.
What are PCI standards, who is responsible for complying?
PCI standards were created to protect credit card data from fraud and misuse. The standards apply to any merchant that stores, processes, or transmits cardholder data. More often than not, healthcare organizations process payments and are subject to these standards.
In 2006, American Express, JCB International, MasterCard, Visa, and Discover collaborated to form the PCI Security Standards Council (PCI SSC) with the goal of evolving and overseeing a set of unified credit card security standards.
PCI SSC describes itself as a “global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.”
Each of the founding organizations implemented PCI standards as a technical requirement in their respective data security compliance programs. PCI SSC is responsible for maintaining and managing the security standards, while the founding member entities are responsible for enforcing the standards, PCI SSC’s website explains.
The standards go beyond just regulating how organizations transmit card data, King said.
“It’s about how you secure your networks, and it’s about processing. If someone writes a credit card number on a post-it note, that note gets classified as credit card storage,” King explained.
“You have to have the appropriate procedures in place to destroy that post-it note so that the credit card number doesn’t get around.”
PCI standards involve very specific measures that organizations must follow in order to be in compliance. For example, organizations are required to install and maintain a firewall configuration, encrypt the transmission of cardholder data across public networks, and regularly update anti-virus software to protect against malware, according to the official PCI DSS text.
A common misconception is that IT teams are responsible for ensuring that PCI standards are met, King noted. While the IT teams may be implementing safeguards from a technical perspective, the compliance responsibilities actually fall on the departments responsible for signing merchant agreements with processors and bank owners.
Where do PCI standards and HIPAA intersect?
Just as PCI standards protect card data, HIPAA safeguards protected health information (PHI). The two are different in many ways, but they are bound by their common enemy – cybercriminals.
Both financial data and health data are prime targets for cyberattacks. According to SecureLink, one healthcare data record may be worth up to $250 on the black market. The next highest-value record is payment card data, which has a black-market value of around $5.40 per record.
“If you have someone’s medical information, name, email address, physical address, and SSN, and then you couple that with payment data, you can become whoever you want,” King said, referring to the risks of identity theft and fraud that come along with data breaches.
Both kinds of data must be adequately protected by employing similar technical and administrative safeguards such as employee cybersecurity training or data encryption. Some key differences set PCI standards apart from HIPAA, despite their shared intent to safeguard sensitive data.
Key differences between PCI standards, HIPAA
Naturally, there are some glaring differences between PCI standards and HIPAA. PCI standards are a private sector initiative, while HIPAA is managed by the government. PCI standards can be adopted globally, while HIPAA only applies to US entities.
Under HIPAA, health records not only have to be secure, but they also have to be exchangeable and portable so that providers and patients can access and transmit certain data. Health data can be presented via different mediums, while card data is typically a set of numbers. The penalties also differ greatly.
“If you get caught in non-compliance, the penalties can vary, but basically you can be being fined upwards of $500,000 per month. Typically, each card association will be fining you some amount, and there are four or five card associations,” King noted.
“If there was a breach as a byproduct of the non-compliance, you are responsible for paying for all of the reissuance of the credit cards and covering all fraudulent charges that come along with it. So really a breach could amount to millions and millions of dollars for an organization.”
Similarly, data breaches can cost healthcare organizations millions in fines. It is important to note that HIPAA encompasses a wider scope than PCI standards. HIPAA also focuses on patient right of access issues and privacy, therefore HIPAA non-compliance can mean many things, not just a security violation.
Many HIPAA enforcement actions entail fines along with corrective action plans to ensure that healthcare organizations cannot further jeopardize patient health data.
HIPAA and PCI standards also differ greatly in terms of the language used to describe the requirements. For example, HIPAA requires covered entities to “implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits.”
Meanwhile, PCI standards get extremely specific with what kind of safeguards organizations must put in place to remain compliant. For example, the standards explicitly tell organizations to “install and maintain a firewall configuration to protect cardholder data,” and “protect all systems against malware and regularly update anti-virus software or programs.”
Because of the nuanced nature of health information, HIPAA provides a bit more flexibility in terms of how covered entities can achieve compliance in a way that works for each organization.
Tips for maintaining HIPAA, PCI compliance
Of the hundreds of validation points for each rule, very few HIPAA standards overlap with PCI standards and vice versa. While both are aimed at protecting sensitive data, the means of achieving compliance for each are quite different.
Achieving HIPAA compliance does not mean that PCI compliance is a given. The two share some similar validation points, but the specificity of each limits the compliance overlap.
To maintain HIPAA compliance, the Office of the National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), along with other HHS agencies created numerous resources and guides for covered entities.
Healthcare organizations should conduct regular security risk analyses, conduct employee training, and enact technical safeguards to prevent unauthorized access to PHI.
Organizations should also develop an incident response plan, conduct third-party risk assessments, and enter into business associate agreements (BAAs) with third-party vendors, as required by HIPAA.
To maintain PCI compliance, Talaga emphasized the importance of cross-enterprise communication to ensure that all the card data being across an organization’s network is accounted for.
“From a hospital and health system perspective, there so many different systems that they're using, and a lot of them will take payments. They are really decentralized in terms of how they buy,” Talaga explained.
The revenue cycle team may be processing payments, but so is the hospital gift shop. All of these functions need to maintain PCI compliance in order for the organization as a whole to remain compliant.
“Coordination within large health systems needs be effective to ensure that all the card data that's transmitting across your network is being tracked,” Talaga emphasized.
Enacting certain technical and administrative safeguards can help to maintain a baseline level of card security across the organization.
“Make sure that you're deploying a point-to-point encryption device that encrypts the credit card as it's immediately captured,” King recommended.
The PCI SSC has its own standards for validating point-to-point encryption technology. The PCI Point-to-Point Encryption (P2PE) Standard ensures that merchants using that technology meet certain expectations set by PCI standards.
“If you are taking a credit card payment in person, you should be deploying a point-to-point encrypted device. If not, you are increasing your risk as an organization,” King asserted.
Maintaining both PCI and HIPAA compliance can be difficult, but both are crucial to protecting patients’ sensitive data from threat actors.