By Gil Vidals, , HIPAA Blog, Resources

HIPAA and PCI DSS are both frameworks for complying with legal guidelines that ensure the underlying data is protected appropriately. So what are the differences?

Whereas HIPAA is focused on protecting Protected Health Information (PHI) or Electronic Health Records (EHR), PCI-DSS is centered around an individual’s credit card data.

HIPAA is the Health Insurance Portability and Accountability Act and is relatively new compared to PCI DSS or the Payment Card Industry Data Security Standard, which is an older standard that has been refined in its implementation. HIPAA is broader, with fewer details, leaving many of the implementation details to be worked out by the provider.

In practice, if your company has fully implemented either PCI DSS or HIPAA, then there is a lot of overlap in the security measures followed by both regulations. If your company requires both HIPAA and PCI DSS because it stores both PHI and credit card data for its patients, then understanding the differences between the two is important. 

In broad strokes, PCI DSS has levels of standards that are applicable depending on how and where the credit card data is stored. For example, if a company accepts credit cards online, but does not store the credit cards within their information systems, then they have a more lenient standard than a company that processes and stores credit cards on their servers.

HIPAA is not a tiered system, so the same standards must be implemented regardless of the amount or the method in which the PHI data is processed.

PCI DSS Compliance is derived from a council of credit card investment companies known as the Payment Card Industry Security Standards Council (PCI SSC), whereas HIPAA Compliance originates out of government agencies (not commercial corporations).

In terms of non-compliance with these regulations, consequences have varying levels of severity. Failure to comply with these regulations can result in a security breach and loss of sensitive data, thus compliance should always be an integral part of an organization’s key focus.

For PCI DSS, fines could be imposed and credit card privileges revoked along with the possibility of a company’s reputation being diminished. On the side of HIPAA, consequences are more strict and deal with both civil and criminal natures, in addition to monetary penalties.

It would be a lengthy project to outline all the distinctions between the two standards, but these are a few of the primary differences. Depending on your need, it’s important to know how each applies from a compliance point of view and from a legal point of view.

To learn more about our HIPAA Compliant Solutions, click here.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.

When Should You Encrypt PHI Data for HIPAA Compliance?
November 6, 2013
Vulnerability Scans Should be Required for HIPAA Hosting
January 28, 2014