Healthcare-Industry.jpg?width=300The healthcare industry has grappled with HIPAA for nearly 20 years. The ever-changing, extensive piece of legislation mandates the protection and security of patients' private health information, and HIPAA compliance is a costly and time consuming process for healthcare organizations.

With the amount of focus and effort directed towards HIPAA compliance, risk and compliance professionals at healthcare organizations can rest assured their patients' data is protected from hackers and data theft, right?

Simply put, no.

HIPAA only requires the security of a patient's health information. When it comes to protecting financial data, like a patient's credit card and debit card information, HIPAA comes up short. To combat this, healthcare companies have begun adhering to a different set of requirements, set forth in the Plastic Card Industry's Data Security Standards (PCI DSS).


HIPAA, as a U.S. federal law monitored by Health and Human Services, has heavy criminal and civil penalties associated with its noncompliance. PCI DSS compliance, conversely, isn't a legal requirement. Companies like Visa, Mastercard, and Discover, among others, comprise the Security Standards Council, which created the PCI DSS framework to strengthen the protection of their customers' data. All PCI compliance issues are handled by the council.  As a non-regulatory body, noncompliance to PCI DSS will not result in direct criminal charges. The council is, however, able to hand down contractually agreed upon fines, which can become significant upon instances of data breaches or theft.

Now, here is the scary part. A 2012 study found that "the healthcare industry as a whole is sorely lagging in compliance with PCI DSS" due to the common misconception that "by simply meeting HIPAA requirements, a healthcare provider is also complying with PCI DSS." [1]

Meeting HIPAA's requirements is not indicative of PCI DSS compliance, and vice versa. As the industry catches on, healthcare providers can benefit from an Enterprise Risk Management framework allowing them to address both PCI and HIPAA standards, reduce rework due to overlap, and most importantly protect patient data.

A Risk-Based Approach to PCI Compliance

In the world of healthcare, if an organization accepts credit or debit payments from patients (think pharmacy, patient co-payments, gift shops, etc.) the requirements of PCI DSS apply. There are several roads that an organization can take to arrive at PCI compliance. Employing a risk-based approach, focused on enterprise-wide risk aggregation and mitigation, is the most effective means to this end.

Through the employment of a risk-based approach, healthcare companies are able to efficiently comply with a variety of regulations and standards, including HIPAASOX, and PCI DSS, by creating distinct relationships between disparate regulations, a common root cause risk, and the various controls and activities within their organization. Addressing each of these regulations separately leads to a duplication of effort, organizational inefficiencies, and eventually compliance fatigue. Linking them together under a risk-based approach, however, moves an organization from a mindset of chasing compliance to one of constant security and control.

Healthcare companies are among the most heavily regulated enterprises in the world, and any inefficiency in compliance is detrimental to business operations. By adopting a risk-based approach, an organization can move past a dangerous 'check-the-box' mentality and adopt a culture of true information security and protection, working toward both PCI DSS and HIPAA compliance.

Download our whitepaper on PCI compliance, or request a demo to see how LogicManager can quickly help you align regulatory compliance with your strategic objectives.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!