Combine, Coordinate, Collect: Synergy Through Concurrent Assessments

Part 1: HIPAA and PCI

Many organizations are subject to multiple compliance regulations or internal control requirements. Depending on the industry, some of the most widely applied are Sarbanes-Oxley (SOX), Payment Card Industry (PCI), Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). These compliance regulations typically address similar areas, such as data privacy and security, with overlapping requirements. To save time, effort and sanity, it makes sense to address the requirements that overlap in tandem.

In this section, we will identify a few areas in HIPAA and PCI that may be addressed concurrently to save time and effort.

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is overseen by the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services. Of its many components, the Privacy Rule and Security Rule are the two most frequently assessed HIPAA rules. The Privacy Rule establishes standards to protect individual’s medical records and other identifiable health information, collectively referred to as protected health information (PHI). It requires appropriate safeguards to protect the privacy of PHI, and limits the conditions under which the information can be used or disclosed without an individual’s consent.

Covered entities are defined as health plans, health care clearinghouses, and health care providers that electronically transmit PHI. Examples include health insurance companies, doctors, or medical data entry services.

Business associates are defined as a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples include third party administrators assisting with claims processing, attorneys with access to PHI, and independent medical transcriptionist.

 

The Security Rule, which has the most overlap with PCI, establishes standards to protect electronic PHI (ePHI) which is created, received, used, or maintained by a covered entity or business associate, and requires appropriate safeguards which are broken down into the following subcategories:

Safeguards

Subcategories

Summaries

Administrative

Security Management Process

Identify risks to ePHI and implement security measures that reduce risk and vulnerabilities.

Security Personnel

Designate personnel responsible for developing and implementing security policies and procedures.

Information Access Management

Implement policies and procedures for authorizing access to ePHI when appropriate.

Workforce Training and Management

Train all workforce members regarding security policies and procedures and sanction those who violate policies and procedures.

Evaluation

Perform periodic assessments to validate policies and procedures meet the Security Rule.

Physical

Facility Access and Control

Limit physical access to facilities.

Workstation and Device Security

Implement policies and procedures specifying proper use of workstations and transfer, removal, disposal, and re-use electronic media.

Technical

Access Control

Implement policies and procedures to allow only authorized access to ePHI.

Audit Controls

Implement mechanisms to record and examine access and activity that contains or uses ePHI.

Integrity Controls

Implement policies and procedures to ensure ePHI is not improperly altered or destroyed. Implement electronic measures to confirm ePHI has not been improperly altered or destroyed.

Transmission Security

Implement security measures to prevent unauthorized access to ePHI during transmission.

 

Payment Card Industry (PCI) Data Security Standard (DSS)

At a minimum, cardholder data consists of the full primary account number (PAN), also known as the payment account number. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.

 

The PCI DSS is developed and overseen by the PCI Security Standards Council (SSC) and enforced through Acquirers (Merchant Banks) which monitor compliance. Currently, there are two versions of the PCI DSS in effect. Version 3.2.1 is effective until retired on March 31, 2024. Version 4.0 was released on March 31, 2022, and can be implemented immediately, though additional requirements will become mandatory in 2025. Comparisons between the two DSS versions can be found here. Both versions of the PCI DSS consist of six objectives and twelve requirements applicable to all merchants and service providers that store, process, or transmit cardholder data. These objectives and requirements are:

Objectives

Requirements

Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel

 

Comparison

As noted below, the HIPAA Security Rule and the PCI DSS have multiple areas of overlap. These areas can often leverage the same evidence between assessments, reducing the burden on document provider and assessor alike.

HIPAA Safeguards

Common Coverage Area

PCI Requirement(s)

Administrative

Log monitoring

10

Access management and review processes

8

Anti-malware

5

Assigned responsibilities

1-12

Employee training

9, 12

Incident management

12

Password management

7

Physical

Device inventories

2

Media handling processes

3, 9

Physical access management

9

Technical

Audit logging

10

Data encryption

3, 4

Inactive session management

8

User identification and authentication

7

This chart shows begins to show how an assessor can map between standards to identify points of commonality, and therefore areas of efficiency for test procedures. It is not exhaustive and does not go down to the subsection of the Security Rule or sub-requirements for the PCI DSS.

When planning multiple concurrent assessments with cross-utilized data, it is important to consult with personnel experienced in performing combinations of assessments. Weaver has performed combined assessments across a variety of organizations from Fortune 50 companies, to local government and small businesses. For more information about how we can help your organization plan more efficient assessments, please contact us.

©2022

SUBSCRIBE TO OUR NEWSLETTER