Organizations operating in certain industries are expected to comply with
regulatory standards regarding how they handle specific types of data elements. In
the U.S., businesses in the healthcare sector are subject to HIPAA guidelines.
Companies in any industry that process credit card payments must comply with
PCI-DSS.
We are going to compare these two common regulatory frameworks and look at
their similarities and differences.
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act
of 1996. It is a federal law passed by Congress in the United States that is designed
to protect the privacy and security of protected health information (PHI). The law
is comprised of three main rules. We will primarily be concerned with the details
of the HIPPA Security Rule as it provides the framework for the construction of a
compliant IT environment.
• HIPAA Privacy Rule – This rule set the standards by which individuals’
medical records and protected health information (PHI) are safeguarded. The
rule defines limits on how this data can be used and requires organizations to
protect their privacy. The Privacy Rule also gives patients rights regarding
viewing and verifying their medical records.
• HIPAA Security Rule – This rule focuses on electronic protected health
information (ePHI). It defines safeguards that must be implemented to protect
the security of the ePHI that a company stores and processes electronically. We
will look at this rule in more depth shortly.
• HIPAA Breach Notification Rule – This rule outlines the conditions that
require an organization to provide notification of a breach that involves PHI or
ePHI. Covered entities must notify the individuals affected by the breach, the
Secretary of Health and Human Services, and, sometimes, the media.
The HIPAA Security Rule
The HIPAA Security Rule only applies to ePHI. It applies to healthcare providers,
health plans, covered entities, and business associates that process, store, and
transmit ePHI. The Security Rule defines the following steps that need to be taken
to protect ePHI. All covered entities and business associates are required to:
• Ensure the confidentiality, integrity, and availability of ePHI;
• Identify and protect the environment from threats to the security of ePHI;
• Protect against the unauthorized use or disclosure of ePHI;
• Ensure their workforce complies with all HIPAA regulations.
Administrative, physical, and technical safeguards are defined in the Security Rule.
These safeguards must be implemented when designing a computing environment
that is HIPAA compliant.
HIPAA Security Rule Safeguards
Following is a breakdown of the three types of safeguards mandated by HIPAA.
Administrative safeguards require:
• Developing a process that identifies risks to ePHI and implementing measures to
mitigate them;
• Designating a focal who is responsible for developing and implementing ePHI
security;
• Defining role-based policies that limit access to ePHI;
• Performing scheduled assessments of the infrastructure to evaluate security
measures and modify them if necessary;
• Providing security training for all employees and contractors who work with
ePHI.
Physical safeguards include:
• Limiting physical access to devices that contain ePHI to only authorized users;
• Implementing policies that specify how devices and media containing ePHI are
handled and destroyed.
Technical safeguards require:
• Implementing controls that limit access to ePHI to authorized personnel;
• Developing audit controls to ensure only authorized personnel access ePHI and
identifying unauthorized access attempts;
• Ensuring secure transmission of ePHI with technical measures such as
encryption;
• Defining integrity controls to ensure ePHI is not modified or destroyed.
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a security
standard established in 2004 by Visa, MasterCard, Discover Financial Services,
JCB International, and American Express. It is not a law but rather a set of twelve
standards enforced by the payment card industry.
• Install and maintain a firewall to protect cardholder data from unauthorized
access. The firewall must be reviewed bi-annually and updated to address traffic
changes.
• Change all vendor-supplied default passwords for every piece of hardware and
software in the regulated environment.
• Protect stored cardholder data by encrypting it and only retaining it as long as it
is needed, purging obsolete data at least quarterly.
• Encrypt cardholder data whenever it is transmitted across public networks.
• Deploy and regularly update antivirus programs on all machines that access
cardholder data.
• Develop and maintain secure systems and applications and update them with
security patches.
• Restrict access to cardholder data on a need-to-know basis. Only users who need
the data to do their jobs should be authorized to access it.
• Assign a unique ID to everyone with computer access for tracking and
monitoring access to cardholder data.
• Restrict physical access to cardholder data systems with monitoring and
logging procedures.
• Monitor and track all access to regulated network resources and cardholder data
to create an audit trail to demonstrate compliance.
• Test security systems and processes regularly, including performing quarterly
vulnerability scans.
• Develop and maintain an information security policy for all personnel.
Similarities Between HIPAA and PCI-DSS
There are many similarities between these two sets of regulatory standards. The
similarities include:
• Enforcing fines and penalties for organizations that do not comply with the
regulations;
• Limiting physical access to systems containing regulated data;
• Encrypting regulated data when transmitting it over open or public networks;
• Implementing measures that limit access to regulated data to authorized
personnel;
• Monitoring the use of systems storing regulated data to create an audit trail;
• Performing scheduled assessments of the IT environment to address any new
vulnerabilities.
Differences Between HIPAA and PCI-DSS
There are also some significant differences between HIPAA and PCI-DSS. One
substantial difference is in the way PCI and HIPAA define the protective measures
that must be taken to protect regulated data. HIPAA provides for more flexibility
in the way an organization protects ePHI. For instance, PCI-DSS mandates a
firewall be used to protect network resources. HIPAA requires systems to be
protected but does not specify how this should be accomplished.
Another difference is in how the severity of fines and penalties are determined
when organizations are not compliant with the regulations.
HIPAA
• Tier 1: A violation that the covered entity was unaware of and could not
have realistically avoided;
• Tier 2: A violation that the covered entity should have been aware of but
could not have avoided even with a reasonable amount of care;
• Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA
Rules where an attempt has been made to correct the violation;
• Tier 4: A violation of HIPAA Rules constituting willful neglect where no
attempt has been made to correct the violation within 30 days.
Fines for noncompliance are levied according to these tiers:
• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000 per violation
PCI-DSS
Fines for non-compliance with PCI-DSS range from $5,000 to $100,000 per month
based on the size of the company and the scope and duration of the violations. Four
merchant levels are defined based on the quantity of Visa transactions over 12
months. The levels determine the amount of assessment and security validation an
entity must perform to maintain PCI-DSS compliance.
• Level 1 applies to merchants processing over six million Visa transactions per
year using any credit card acceptance method.
• Level 2 denotes merchants processing between one and six million Visa
transactions per year using any credit card acceptance method.
• Level 3 is for merchants processing between 20,000 and one million Visa e-
commerce transactions per year.
• Level 4 applies to merchants processing less than 20,000 e-commerce Visa
transactions and entities processing up to one million Visa transactions of any
kind.
Can an IT Infrastructure Comply With Both Sets of Regulations?
Yes, it can. Many organizations must comply with HIPAA and PCI-DSS.
Businesses operating in the healthcare sector that also process credit card payments
need to ensure that patient data and cardholder data are kept secure by complying
with both sets of regulations. In many cases, the processes and procedures
implemented to protect one type of data will be sufficient to protect both ePHI and
cardholder information.
Companies subject to these regulatory standards can implement a compliant
infrastructure themselves or work with experienced third-party providers who can
assure compliance. However they go about it, compliance is important to avoid
potentially heavy fines, and the reputational damage accompanying non-
compliance.