Healthcare providers must become aware of and comply with PCI DSS
Healthcare providers are generally familiar with and are used to the complex network of state and federal data privacy protection laws (e.g., HIPAA and HIPAA Privacy and Security regulations). However, most providers may not be aware of another set of data security standards, the Payment Card Industry Data Security Standards (PCI DSS), imposed by a non-governmental, private organization representing the credit card industry.
Contrary to popular belief, PCI standards apply to any processor of credit cards, regardless of volume of credit card transactions. (However, PCI DSS differ based on each organization's transactions volume.) In other words, if your healthcare enterprise or practice accepts credit cards as payment for services (which virtually all practices do), your organization is subject to PCI DSS.
SC Magazine's recent contribution from Jim Lacy, CFO of healthcare IT company ZirMed, provides an excellent reminder for all healthcare providers accepting credit cards to take note of PCI DSS and begin the process of compliance with such standards.
A few lessons from Jim Lacy's piece and more after the jump.
Jim Lacy reminds healthcare providers of a few basic principles of PCI compliance:
- As mentioned above, PCI DSS applies to all entities processing credit card transactions, regardless of volume.
- PCI DSS compliance is not prohibitively expensive. Certain PCI-compliance services are available online for as little as $150 a year.
- If your organization is not compliant with PCI DSS, you may not be able to process credit card transactions in certain markets.
- Aside from suspension of one's ability to process credit card transactions, a data breach for non-compliant providers may cost hundreds of thousands of dollars in fines alone (VISA can impose fines up to $500,000 per incident).
- HIPAA compliance does not mean compliance with PCI DSS.
In addition to PCI DSS, at least one state, Minnesota, adopted most provisions of PCI DSS prohibiting storage of credit card data as state law, the Plastic Card Security Act (PCSA). PCSA essentially created a strict liability standard for entities processing over 20,000 credit card transactions a year for any losses or damages caused by a data breach of stored credit card data.
Thus, a Minnesota healthcare enterprise may be strictly liable to credit card companies or patients for losses or damages resulting from a security breach of stored credit card data, if such provider was not compliant with PCI DSS and the applicable provisions of Minnesota law.
"PCI-DSS: Not on health care provider's radar", SC Magazine (June 19, 2009).
