Healthcare entities that accept credit card payments are subject to PCI-DSS requirements. PCI-DSS provides “mandated” requirements for the protection and security of credit card transactions. It is not a law. Rather, it was born out of collaboration between major credit card brands (Visa, MasterCard, American Express, Discover and JCB-Japan Credit Bureau) to regulate and prevent credit card data breaches. The requirements are mandated for any vendor or entity that accepts credit card payments regardless of size or number of transactions, and compliance is monitored by this same group (Payment Card Industry Security Standards Council-“Council”) of credit card brands. Technically, the group cannot “force” a vendor to comply with the requirements but can limit or prohibit a vendor’s ability to process credit card transactions and, hence, impede cash flow.
PCI-DSS focuses on “descriptive” steps to follow to ensure the security of the stored credit card data, audit mechanisms, suggested breach protocols and pre-determined fines for noncompliance. If followed, these actions would be part of the Healthcare entities’ response to the HIPAA Security standards.
HIPAA is much more encompassing. Compliance is mandated by federal law, requires risk assessments, policies/procedures for administrative, physical and technical safeguards, use of Business Associate Agreements and includes breach protocols, fines, and civil/criminal actions for noncompliance.
Yes, PCI-DSS impacts healthcare. Yes, PCI-DSS activities may be part of a healthcare entity’s HIPAA Security Plan. No, PCI-DSS compliance does not equate to HIPAA Security Compliance and vice versa because the HIPAA plan may not prescribe every step mandated by the council. Instead, it is best to view both through its’ own set of rules!
For more information on complying with PCI-DSS, please contact Linda Mancini at 781-272-8001