PCI vs. HIPAA Compliance

A common question among covered entities that we encounter time and time again is, “What is the difference between PCI and HIPAA Compliance?”

This question becomes even more frequent when news breaks of breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category (PCI) and 4,659,965 breaches for the medical/healthcare category.

data breach chart

Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.

HIPAA vs. PCI Compliance: Six Key Points

  1. Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
  2. Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
  3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
  4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
  5. Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
  6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

If you’re looking for further detail on PCI compliance and how it relates to HIPAA, check out our “Think PCI Can Replace HIPAA? 6 Points That Will Change Your Mind” blog post.