A common question among covered entities that we encounter time and time again is the following:
What is the difference between PCI and HIPAA Compliance?”
This question becomes even more frequent when news breaks of breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category (PCI) and 4,659,965 breaches for the medical/healthcare category.
Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.
HIPAA vs. PCI Compliance: Six Key Points
- Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
- Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
- Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
- HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
- Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
- A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.
If you’re looking for further detail on PCI compliance and how it relates to HIPAA, check out our “Think PCI Can Replace HIPAA? 6 Points That Will Change Your Mind” blog post.