PCI DSS in Healthcare: HIPAA Compliance Isn’t Enough to Protect Patients
Steven Minsky | April 8, 2014
The healthcare industry has grappled with HIPAA for nearly 20 years. The ever-changing, extensive piece of legislation mandates the protection and security of patients’ private health information, and HIPAA compliance is a costly and time consuming process for healthcare organizations.
With the amount of focus and effort directed towards HIPAA compliance, risk and compliance professionals at healthcare organizations can rest assured their patients’ data is protected from hackers and data theft, right?
Simply put, no.
HIPAA only requires the security of a patient’s health information. When it comes to protecting financial data, like a patient’s credit card and debit card information, HIPAA comes up short. To combat this, healthcare companies have begun adhering to a different set of requirements, set forth in the Plastic Card Industry’s Data Security Standards (PCI DSS).
HIPAA vs PCI
HIPAA, as a U.S. federal law monitored by Health and Human Services, has heavy criminal and civil penalties associated with its noncompliance. PCI DSS compliance, conversely, isn’t a legal requirement. Companies like Visa, Mastercard, and Discover, among others, comprise the Security Standards Council, which created the PCI DSS framework to strengthen the protection of their customers’ data. All PCI compliance issues are handled by the council. As a non-regulatory body, noncompliance to PCI DSS will not result in direct criminal charges. The council is, however, able to hand down contractually agreed upon fines, which can become significant upon instances of data breaches or theft.
Now, here is the scary part. A 2012 study found that “the healthcare industry as a whole is sorely lagging in compliance with PCI DSS” due to the common misconception that “by simply meeting HIPAA requirements, a healthcare provider is also complying with PCI DSS.” 
Meeting HIPAA’s requirements is not indicative of PCI DSS compliance, and vice versa. As the industry catches on, healthcare providers can benefit from an Enterprise Risk Management framework allowing them to address both PCI and HIPAA standards, reduce rework due to overlap, and most importantly protect patient data.
A Risk-Based Approach to PCI Compliance
In the world of healthcare, if an organization accepts credit or debit payments from patients (think pharmacy, patient co-payments, gift shops, etc.) the requirements of PCI DSS apply. There are several roads that an organization can take to arrive at PCI compliance. Employing a risk-based approach, focused on enterprise-wide risk aggregation and mitigation, is the most effective means to this end.
Through the employment of a risk-based approach, healthcare companies are able to efficiently comply with a variety of regulations and standards, including HIPAA, SOX, and PCI DSS, by creating distinct relationships between disparate regulations, a common root cause risk, and the various controls and activities within their organization. Addressing each of these regulations separately leads to a duplication of effort, organizational inefficiencies, and eventually compliance fatigue. Linking them together under a risk-based approach, however, moves an organization from a mindset of chasing compliance to one of constant security and control.
Healthcare companies are among the most heavily regulated enterprises in the world, and any inefficiency in compliance is detrimental to business operations. By adopting a risk-based approach, an organization can move past a dangerous ‘check-the-box’ mentality and adopt a culture of true information security and protection, working toward both PCI DSS and HIPAA compliance.
 PCI Compliance in the Healthcare Industry. Vantiv. March 2012. http://proddownloads.vertmarkets.com.s3.amazonaws.com/download/2b68b9e3/2b68b9e3-096a-40fd-9451-a18000ac2992/original/march_2012_pci_compliance_in_the_healthcare_industry.pdf