HIPAA and PCI Compliance Are Not Interchangeable
March 7th, 2013 By: Industry Perspectives
Mike Klein is president and COO of Online Tech, which provides colocation, managed servers and private cloud services. He follows the health care IT industry closely and you can find more resources at www.onlinetech.com/compliant-hosting/overview.MIKE KLEIN
When thinking about compliance, many companies assume PCI DSS is interchangeable with HIPAA. Otherwise it is assumed that the gap between the two is small. This ignores that HIPAA and PCI DSS compliance protect different types of information, with different audit guidelines, safeguard requirements, and consequences for non-compliance or breaches.
Origins and Audits
HIPAA compliance is monitored by Health and Human Services, and the audit is based on OCR (Office of Civil Rights) protocols that are continuously updated and enforced. These are governmental entities, not private companies. KPMG was selected as HHS’ auditor of choice, and investigation of compliance with the Security and Privacy rules comes with the benefit of the fully informed and funded auditing power of a well-respected auditing powerhouse.
Conversely, PCI compliance is defined by the PCI SSC (Payment Card Industry Security Standards Council). This council is a collaboration including Visa, Mastercard, American Express, Discover, and JCB (Japan Credit Bureau), with these companies having a vested interest in keeping consumer data safe.
Consequences of Non-Compliance
The cost of a breach is very different between HIPAA and PCI compliance as well. HIPAA is a US federal law. There are criminal and civil penalties associated with a breach, as well as fines. This means that in addition to stiff financial consequences, willfully negligent stakeholders can go to jail for non-compliance. If a breach occurs, healthcare providers are required to post public press releases in traditional media outlets to inform patients of the potential threat to their information. This damage to the image and credibility of an institution can have long lasting impacts.
With PCI compliance, there are contractually agreed upon fines, but no criminal charges. You aren’t going to see anyone going to jail for not being PCI compliant. This isn’t to say that PCI costs aren’t serious. A PCI breach could cost anywhere from thousands to millions in fines to the credit card companies, and could result in the loss of card processing privileges, which severely impacts business cashflow. Of course, there is also always a threat to a company’s reputation that might discourage current or future buyers.
When you peel back the curtain on HIPAA and PCI requirements, they look very different. HIPAA is very focused on policies, training, and processes. It’s more subjective and broad in application, caring about how a company handles breach notification, whether an organization insists on BAAs (Business Associate Agreements) with their vendors, or whether the cloud provider associated with a company has conducted a thorough risk assessment against all administrative, physical, and technical safeguards. To this last point, the final HIPAA Privacy and Security Rules published by HHS recently clarified that data center and cloud providers are, in fact, considered Business Associates that must be HIPAA compliant if there is Protected Health Information (PHI) in their data centers or on their servers. HIPAA doesn’t precisely describe technical specification or methods to achieve compliance. Each Covered Entity and Business Associate is to complete a risk assessment and management plan for addressing each of the HIPAA safeguards.
The Business Associate Agreement is unique to HIPAA, and extends the ‘chain-of-trust’ and liabilities for protecting PHI from the Covered Entities (healthcare providers), throughout its network of supporting vendors. Any company that stores, processes, or accesses patient health information is automatically considered a Business Associate. As such, they will be held to the full legal liability to keep PHI safe. Turning a blind eye only makes the penalties steeper.
PCI DSS requirements are much more prescriptive, comparably. The technical requirements are more detailed, explicitly outlining the necessity for processes like daily log review and encryption across open, public networks, while processes around training and policies are not as prevalent. PCI DSS does not have an equivalent of a Business Associate Agreement required between a company that needs to be PCI DSS compliant and its vendors.
Do HIPAA and PCI Compliance Overlap?
Well, yes and no. The technical PCI requirements can set up a nice framework that could work as a prescriptive guide for some of HIPAA’s technical safeguard requirements. However, the foundation of HIPAA compliance is a documented risk assessment and management plan against the entire security rule. PCI share this core cornerstone for the basis of meeting compliance.
The bottom line is that passing a PCI audit does not mean you’re HIPAA compliant, or that KPMG is going to care about PCI when it comes to an evaluation on due diligence to meet HIPAA compliance.
The reverse is also true. Passing an independent audit against the HIPAA Security and Privacy rules does not imply PCI compliance either. Even with overlap, they’re still separate and should be treated as such. The best course when looking at hosting providers is to request an audit report, read the details, and confirm that HIPAA compliance is based on the OCR Audit Protocols and PCI compliance is based on the PCI DSS. This insures that the business not only understands the difference between each compliance (if both are necessary), but that the company has truly been diligent to keep your data safe. After all, compliance is not a checkmark, it’s a culture.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
AmeilaPosted May 7th, 2013
Thanks for the comparison between the two. Both are equally important in keeping the information safe and secure. Good training for both is essential in being able to accomplish this. The people who trust us with information are depending on us to keep any information secure.
Ken WitheyPosted May 23rd, 2013
Mr. Klein is incorrect about PCI DSS not having any legal repercussions, fines or penalties similar to HIPAA. Actually the HITECH Act gives HIPAA legal and financial Federal consequence, not HIPAA itself. PCI DSS is a private banking industry standard that has been adopted by most states as the standard by which network owners can protect themselves and as proving PCI compliance gives “safe harbor” from prosecution for data compromise and breech. Three states that I am aware of adopted the PCI DSS standard prior to the date of this article.
Good article, although less helpful than I hoped. I think the two frameworks are much closer than he indicated. Because PCI is so much more organized and detailed, HIPAA is much easier to comply with if you have PCI which is based upon hundreds of detailed controls. The same is true with NIST which many seem to base their controls on. The main difference I see HIPAA v. PCI is more emphasis on penalties and even jail time, as well as encryption and privacy issues.