- HIPAA Update - http://blogs.hcpro.com/hipaa -

PCI requirements are essential to HIPAA security programs

[1]A new threat is emerging on the healthcare horizon. Medical identity theft is running rampant and hackers are targeting merchants’ credit card systems. It’s only a matter of time before the two worlds collide.

“Virtually all patient-facing healthcare organizations accept credit and debit cards, and a significant number of business associates [BA] and other related companies do as well,” says Dan Berger, president and CEO of Redspin, Inc., in Carpinteria, California. “Medical records are already one of the most high-value targets for identity theft, and adding credit card numbers in to the mix exponentially increases the security risks that healthcare companies face every day,” he says.

Healthcare organizations must become familiar with the payment card industry data security standards (PCI DSS) to protect the privacy and security of their patients, says Phyllis A. Patrick, MBA, FACHE, CHC, founder of Phyllis A. Patrick & Associates, LLC, in Purchase, New York. “There are all kinds of threats that we didn’t see or saw a lot less of a few years ago,” says Patrick.

The Payment Card Industry Security Standards Council (PCI SSC), a coalition of credit card merchants, was established in 2006 to develop the PCI requirements [2]. The current version of the requirements is PCI DSS 3.0, says Berger. Credit card companies are not subject to the same federal and state regulations as banks and credit unions, although some states opted to incorporate PCI standards into state law. Therefore, the card companies came together to develop their own security standards to protect cardholder data and industry transactions, says Berger.

Continue reading “PCI requirements are essential to HIPAA security programs” [3] on the HCPro website. Subscribers to Briefings on HIPAA [4] have free access to this article in the August issue.