Editor’s Note: This blog entry was originally published on September 19, 2018, and was updated on August 7, 2020.
If the practice management software you provide to your clients includes payment processing functionality, you’re probably familiar with PCI compliance requirements. If you have clients in the healthcare industry, you’re likely also familiar with HIPAA requirements. PCI and HIPAA are two separate sets of requirements, and healthcare companies need to make sure they follow all of the regulations put in place by both in order to stay compliant and protect patients’ information at all times.
These types of regulations are important for many reasons: protecting patients’ identity, cardholder information and medical information, just to name a few. When healthcare practices are using your software solution, it is crucial that they know you are handling their patient data in the most secure fashion and following all of these important regulations that are in place today.
What is PCI Compliance?
PCI DSS is the data security standard for the payment card industry and is maintained by the PCI Security Standards Council (PCI SSC). This standard is presented as the minimum criteria companies should strive for in order to avoid data breaches.
The PCI compliance requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is to protect cardholder data at all times. These standards apply not just to merchants and ISVs but to anyone that stores, processes, transmits, or otherwise manipulates cardholder data. Service providers who can affect the security of cardholder data are also responsible for compliance with applicable requirements.
What is HIPAA?
HIPAA, which stands for Health Insurance Portability and Accountability Act, is a rule that sets "national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically."
You’ve likely read numerous news stories over recent years about healthcare data breaches, whether due to outsider hacking or data misuse by internal employees. This can be a costly area for health organizations. New research from Proofpoint shows that “Health and pharma organizations that experience security incidents caused by careless or malicious insiders spend an average of $10.81 million each year to remediate the threat.”
Tips for PCI Compliance in Healthcare
All businesses that handle credit card data, not just healthcare entities, must comply with PCI DSS requirements, so these tips are useful across industries.
Any organization that accepts payment cards is required to protect cardholder data in order to prevent unauthorized usage. Cardholder data should never be stored unless required for legal, regulatory or business needs. In the event storage is necessary, PCI requirements for securing stored data must be followed.
Organizations must limit storage and retention time to the bare minimum and should perform a purge at least every quarter. Sensitive data - even if encrypted - should never be stored beyond what’s necessary to finalize a transaction.
These requirements also include rules for how primary account numbers should be displayed, such as revealing only the first six and last four digits. This requirement does not supersede other legal or payment card brand requirements, including requirements that further limit data which can be displayed on point-of-sale (POS) receipts.
Tips for HIPAA Compliance in Healthcare
Organizations that must abide by HIPAA requirements should know what protected health information they are storing or maintaining and where, and ensure they are following all guidelines.
They must also ensure they track those individuals who have access to protected data, including any third parties, and ensure they are fluent in and operating under the HIPAA requirements.
Further, these organizations must ensure that all data is encrypted both in transit and at rest.
Conclusion
ISVs who offer healthcare practice management software need to be aware of both PCI compliance regulations and HIPAA regulations to ensure they understand the requirements their customers need to meet. To learn more about PCI compliance, take a look at our blog series on the topic. For more information about HIPAA requirements, please visit HHS.gov.