02-26-13 | Blog Post
More and more often healthcare providers and other businesses are finding themselves needing both HIPAA compliance for the PHI (protected health information) they store, and PCI DSS compliance for storing, transmitting, or processing cardholder data. At this compliance crossroads providers find themselves situated between prescriptive technical requirements and more subjective policies, which can cause confusion about where to start and how best to keep compliant.
Likely the most important point to note is that these two set pf compliance standards are different. The Dept. of Health and Human Services (HHS) is responsible for monitoring HIPAA compliance, and is audited based on regulations put in place by the Office for Civil Rights (OCR). PCI DSS compliance requires an audit by a Qualified Security Assessor (QSA) who has been certified by the Payment Card Industry Security Standards Council (PCI SSC).
There are undoubtedly going to be certain safeguards that overlap each other, but because they are audited by different groups and from different guidelines, they should each be looked at separately. This is going to lower the risk of a company missing a component necessary for compliance, and will allow a more thorough understanding of each audit.
This means that when a company is looking for a hosting provider, they need to feel confident that the company they’re going to be working with also understands the importance of looking at these compliances separately. They should have both an independent HIPAA audit proving that they have all the administrative, physical, and technical safeguards in place, as well as a completed Report on Compliance (ROC) available to share.
Also, based on the final HIPAA Privacy and Security Rules put out by HHS, hosting providers are considered Business Associates. Thus, part of the conversations with providers will need to include a Business Associate Agreement (BAA), which will outline the specific steps each group will take to protect PHI, and will explicitly define the responsibility of the hosting provider to be compliant. If a hosting provider is unable or unwilling to provide a BAA, it would be wise to work with a different company.
For more information on guidelines and requirements for each specific compliance, read through our white papers that thoroughly address HIPAA and PCI compliant hosting.
Further reading:
mHealth and Multi-Compliance
HIPAA Hosting Provider BAAs Need To Reflect HHS Final HIPAA Privacy & Security Rules
Your Cloud Hosting Provider May Be PCI Compliant But That Doesn’t Mean You Are
Data Center Standards Cheat Sheet: From HIPAA to SOC 2