Differences Between PCI DSS Compliance & HIPAA Compliance

By HIPAA Vault

HIPAA and PCI DSS are both frameworks for complying with legal guidelines that ensure the underlying data is protected appropriately. Whereas HIPAA is focused on protecting Protected Health Information (PHI) or Electronic Health Records (EHR), PCI-DSS is centered around an individual’s credit card data.

HIPAA is the Health Insurance Portability and Accountability Act and is relatively new compared to PCI DSS or the Payment Card Industry Data Security Standard, which is an older standard and has been refined with details of how it is to be implemented. HIPAA is broader, with less details, leaving many of the implementation details to be worked out by the provider.

– In practice, if your company has fully implemented either PCI DSS or HIPAA, then there are a lot of overlap in the security measures followed by both regulations. If your company requires both HIPAA and PCI DSS because it stores both PHI and credit card data for it’s patients, then understanding the differences between the two is important. It would be less work to outline the differences between the two and implement the security measures that are missing rather than attempting to compile the similarities.

– PCI DSS has different levels of standards that are applicable depending on how and where the credit card data is stored. For example, if a company accepts credit cards online, but does not store the credit cards within their information systems, then they have a more lenient standard than a company that processes and stores credit cards on their servers. HIPAA is not a tiered system, so the same standards must be implemented regardless of the amount or the method in which the PHI data is processed.

PCI DSS Compliance is derived from a council of credit card investment companies known as the Payment Card Industry Security Standards Council (PCI SSC). Whereas HIPAA Compliance originates out of government agencies (not commercial corporations). In the terms of non-compliance for these regulations, consequences have varying levels of severity.

– Failure to comply with these regulations can result in a security breach, thus compliance should always be an integral part of an organization’s key focus. As a result, due to the fines imposed by PCI DSS, credit card privileges could be revoked along with the possibility of a company’s reputation being diminished. On the side of HIPAA, consequences are more strict and deal with both civil and criminal natures, in addition to monetary penalties.

It would be a lengthy project to outline the differences between the two standards. In a future blog, we will tackle discovering the major differences between the two, both from a compliance point of view and from a legal point of view.

To learn more about our HIPAA Compliant Solutions, click here.


Our certifications