Article
PodcastCombine, Coordinate, Collect: Synergy Through Concurrent Assessments
Part 1: HIPAA and PCI
Many organizations are subject to multiple compliance regulations or internal control requirements. Depending on the industry, some of the most widely applied are Sarbanes-Oxley (SOX), Payment Card Industry (PCI), Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). These compliance regulations typically address similar areas, such as data privacy and security, with overlapping requirements. To save time, effort and sanity, it makes sense to address the requirements that overlap in tandem.
In this section, we will identify a few areas in HIPAA and PCI that may be addressed concurrently to save time and effort.
Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA is overseen by the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services. Of its many components, the Privacy Rule and Security Rule are the two most frequently assessed HIPAA rules. The Privacy Rule establishes standards to protect individual’s medical records and other identifiable health information, collectively referred to as protected health information (PHI). It requires appropriate safeguards to protect the privacy of PHI, and limits the conditions under which the information can be used or disclosed without an individual’s consent.
Covered entities are defined as health plans, health care clearinghouses, and health care providers that electronically transmit PHI. Examples include health insurance companies, doctors, or medical data entry services.
Business associates are defined as a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples include third party administrators assisting with claims processing, attorneys with access to PHI, and independent medical transcriptionist.
The Security Rule, which has the most overlap with PCI, establishes standards to protect electronic PHI (ePHI) which is created, received, used, or maintained by a covered entity or business associate, and requires appropriate safeguards which are broken down into the following subcategories:
|
Safeguards |
Subcategories |
Summaries |
|
Administrative |
Security Management Process |
Identify risks to ePHI and implement security measures that reduce risk and vulnerabilities. |
|
Security Personnel |
Designate personnel responsible for developing and implementing security policies and procedures. |
|
|
Information Access Management |
Implement policies and procedures for authorizing access to ePHI when appropriate. |
|
|
Workforce Training and Management |
Train all workforce members regarding security policies and procedures and sanction those who violate policies and procedures. |
|
|
Evaluation |
Perform periodic assessments to validate policies and procedures meet the Security Rule. |
|
|
Physical |
Facility Access and Control |
Limit physical access to facilities. |
|
Workstation and Device Security |
Implement policies and procedures specifying proper use of workstations and transfer, removal, disposal, and re-use electronic media. |
|
|
Technical |
Access Control |
Implement policies and procedures to allow only authorized access to ePHI. |
|
Audit Controls |
Implement mechanisms to record and examine access and activity that contains or uses ePHI. |
|
|
Integrity Controls |
Implement policies and procedures to ensure ePHI is not improperly altered or destroyed. Implement electronic measures to confirm ePHI has not been improperly altered or destroyed. |
|
|
Transmission Security |
Implement security measures to prevent unauthorized access to ePHI during transmission. |
Payment Card Industry (PCI) Data Security Standard (DSS)
At a minimum, cardholder data consists of the full primary account number (PAN), also known as the payment account number. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
The PCI DSS is developed and overseen by the PCI Security Standards Council (SSC) and enforced through Acquirers (Merchant Banks) which monitor compliance. Currently, there are two versions of the PCI DSS in effect. Version 3.2.1 is effective until retired on March 31, 2024. Version 4.0 was released on March 31, 2022, and can be implemented immediately, though additional requirements will become mandatory in 2025. Comparisons between the two DSS versions can be found here. Both versions of the PCI DSS consist of six objectives and twelve requirements applicable to all merchants and service providers that store, process, or transmit cardholder data. These objectives and requirements are:
|
Objectives |
Requirements |
|
Build and maintain a secure network and systems |
1. Install and maintain a firewall configuration to protect data |
|
2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
|
Protect cardholder data |
3. Protect stored cardholder data |
|
4. Encrypt transmission of cardholder data across open, public networks |
|
|
Maintain a vulnerability management program |
5. Protect all systems against malware and regularly update anti-virus software or programs |
|
6. Develop and maintain secure systems and applications |
|
|
Implement strong access control measures |
7. Restrict access to cardholder data by business need to know |
|
8. Identify and authenticate access to system components |
|
|
9. Restrict physical access to cardholder data |
|
|
Regularly monitor and test networks |
10. Track and monitor all access to network resources and cardholder data |
|
11. Regularly test security systems and processes |
|
|
Maintain an information security policy |
12. Maintain a policy that addresses information security for all personnel |
Comparison
As noted below, the HIPAA Security Rule and the PCI DSS have multiple areas of overlap. These areas can often leverage the same evidence between assessments, reducing the burden on document provider and assessor alike.
|
HIPAA Safeguards |
Common Coverage Area |
PCI Requirement(s) |
|
Administrative |
Log monitoring |
10 |
|
Access management and review processes |
8 |
|
|
Anti-malware |
5 |
|
|
Assigned responsibilities |
1-12 |
|
|
Employee training |
9, 12 |
|
|
Incident management |
12 |
|
|
Password management |
7 |
|
|
Physical |
Device inventories |
2 |
|
Media handling processes |
3, 9 |
|
|
Physical access management |
9 |
|
|
Technical |
Audit logging |
10 |
|
Data encryption |
3, 4 |
|
|
Inactive session management |
8 |
|
|
User identification and authentication |
7 |
This chart shows begins to show how an assessor can map between standards to identify points of commonality, and therefore areas of efficiency for test procedures. It is not exhaustive and does not go down to the subsection of the Security Rule or sub-requirements for the PCI DSS.
When planning multiple concurrent assessments with cross-utilized data, it is important to consult with personnel experienced in performing combinations of assessments. Weaver has performed combined assessments across a variety of organizations from Fortune 50 companies, to local government and small businesses. For more information about how we can help your organization plan more efficient assessments, please contact us.
©2022