PCI and HIPAA Compliance: What Healthcare Businesses Need to Know About Credit Card Processing
While all businesses must take the privacy and security of the customer information they handle seriously, those operating in the vast healthcare landscape have additional measures they must take to maintain compliance in protecting their patient’s information.
As a credit card processor, Stax frequently receives questions from healthcare providers about HIPAA compliance. The U.S. Department of Health and Human Services has stated that credit card processing does not fall within the scope of HIPAA as no health record information is being stored – only card payment information.
Two important components come into play here. There’s the Health Insurance Portability and Accountability Act of 1996, better known by its acronym, HIPAA. There’s also the Payment Card Industry Data Security Standards or PCI DSS, which are standards set forth by the PCI Security Standards Council.Learn More
Credit Card Processing Exemption
The exemption for HIPAA and credit card processing only applies to the actual credit card processing services. Therefore, Stax merchant services should not be used by healthcare professionals to store health records (ex: entering medical procedure information in invoice line items or in the comment sections of transactions). This would be a violation of Stax Terms of Service. Since our credit card processing services are exempt from HIPAA, Stax does not provide signed Business Associate Agreements as it does not store or transmit electronic protected health information (ePHI) accounts.
What is HIPAA Compliance?
HIPAA is a federal law that passed in 1996 that required the creation of nationwide standards to protect sensitive patient health information from disclosure without the patient’s consent or knowledge. From this, two rules were implemented, the HIPAA Privacy Rule and HIPAA Security Rule.
The Privacy Rule addresses the use and disclosure of protected health information (PHI) and the Security Rule protects a subset of that information, including all individually identifiable health information.
The Privacy Rule includes standards to inform individuals about their rights on how their information is used and shared. The intention of the Privacy Rule is to strike a balance of protecting the privacy of those seeking care with the ability to share information between healthcare providers.
These rules apply to covered entities—defined as individuals and organizations subject to the Privacy Rule that must maintain HIPAA compliance. These entities, as outlined by the CDC, include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Business associates
Additionally, the CDC website states that in order to comply with the HIPAA Security Rule, covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI)
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce
What is PCI DSS Compliance?
The PCI Security Standards Council (PCI SSC) is a global forum of payment industry stakeholders with the mission, “to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.”
The PCI SSC was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa, and each founding member shares equally in the ownership, governance, and execution of the organization’s work.
The PCI DSS work to protect cardholder data and prevent fraud. The standards encompass the following four areas:
- PCI Data Security, which includes technicial and operational standards connected to cardholder data. This covers maintaining a secure network and protecting cardholder data, monitoring and testing networks and maintaining an information security program.
- PCI PIN Transaction Security Requirement, which protects customers’ PIN and payment processing activities. Any manufacturer of payment processing software and hardware must align to the PCI DSS steps throughout the design and production process.
- Payment Application Data Security Standards apply to software vendors and any companies that develop payment applications used to process, transmit or store cardholder data.
- Point-to-Point Encryption requires businesses to encrypt the transmission of cardholder data, making it unreadable to a would-be cyber attacker or other unauthorized parties.
Adhering to PCI compliance standards allows businesses to securely process payments and protect customer cardholder data. Maintaining HIPAA compliance is fundamental for any healthcare business to protect patients’ PHI. In the healthcare industry, both PCI DSS and HIPAA are necessary to protect the business and patient.
HIPAA and PCI DSS Compliance Comparison
Maintaining HIPAA and PCI DSS compliance is critical, as non-compliance can have devastating consequences for the business, but more importantly, for the patient.
The most recent report available reveals the average price for a medical record is valued at up to $250 per health record on the black market, while a payment card, the second most valuable record, averages only $2.50 per record. This means that between medical records and payment information, healthcare providers not only handle the most sensitive information, they are prime targets for cyberattacks.
Learn the difference between HIPAA and PCI DSS compliance and how healthcare businesses can stay in compliance with both.
|Who oversees compliance?||Office for Civil Rights (OCR) [Government agency]||PCI SSC [Private sector]|
|What information do they protect?||Medical records and patient information||Cardholder data|
|Implementation||Leaves room for interpretation||Highly prescriptive guidelines|
Now that we’ve outlined what HIPAA and PCI DSS compliance encompass, let’s discuss the key differences.
Entities overseeing compliance
The most fundamental difference, is that HIPAA is managed by the government under the Office for Civil Rights (OCR) and codified into federal law. Whereas the PCI DSS are managed by a private sector entity. Related to this difference, HIPAA requirements are only applicable to U.S. entities and PCI DSS applies globally.
Room for interpretation
Also fundamentally different between the two is the language used in each. HIPAA allows for flexibility in how the law is interpreted, allowing some room for flexibility in implementation for those that must stay HIPAA compliant. Whereas PCI DSS are highly specific and prescriptive of the security measures businesses must take to protect cardholder data.
Another key difference is in relation to the type of information protected. HIPAA protects medical records and how they are shared, and PCI requirements cover cardholder data and are intended for fraud prevention and consistency in how payments are processed.
HIPAA and PCI DSS overlap in the end goal—protecting sensitive data from being stolen or shared improperly. Whether that is patient data or credit card data, these compliance requirements are designed to defend businesses and healthcare facilities alike. For healthcare organizations specifically, both are necessary to protect patients and the business.
How to Maintain PCI And HIPAA Compliance
Because healthcare businesses need both PCI and HIPAA compliance it is important to understand how they work together and where to find government-provided resources. Here, we’ll share three steps healthcare businesses can take to maintain both HIPAA and PCI compliance.
Implement strong cybersecurity measures
Protecting your company from data breaches requires a robust firewall and dedicated resources for a right-sized cybersecurity team. While a personal device may be protected from malware by using good anti-virus software, healthcare businesses are far more vulnerable and must take proactive measures and establish security policies that meet the needs of the business.
Some of these measures include conducting third-party risk assessments for all vendors. This is especially important for healthcare businesses where vendors have access to patient information, as third-party risk continues to grow and medical information is highly targeted. It is also imperative to develop an incident response plan and back up patient data and other critical information because ransomware attacks continue to increase in frequency.
Conduct regular risk assessments and audits
Part of maintaining HIPAA and PCI security compliance is regular assessments and audits of the program. With a constantly evolving threat landscape, businesses must continue to monitor security programs and adapt to emerging threats.
Choose trusted providers for payment processing
The right payment processor will provide hardware and software that align with PCI standards. Stax is not only PCI compliant, we are also HIPAA compliant and integrate with electronic medical and health records in a secure platform enabled to process payments.
We’re available 24/7 to help your healthcare business easily and securely process payments while maintaining HIPAA and PCI compliance.