5

See the following for dealing with credit information:

https://www.pcisecuritystandards.org/security_standards/

Does a similar standard exist for PHI? Is one being developed?

John Straka
  • 771
  • 7
  • 11

3 Answers3

3

HIPAA describes (at a high level) some policies to follow, and the HITECH legislation further defines some of those provisions. You can look at the Wikipedia HIPAA article for more details on those provisions.

These provisions are required in the USA, I'm not sure about other countries. There is not a global standard, like PCI, as healthcare tends to be dealt with differently based on country.

3

There is a HIPAA Security Rule that establishes the overall objectives.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

In addition to this, there is a forthcoming ONC NwHIN Governance Rule that should establish additional conditions of interoperability and trust, and I, for one, have pointed to PCI as a good model for security standards. (That governance rule would apply to NwHIN certified entities, whereas the HHS Office of Civil Rights establishes rules that apply to all organizations that fall under HIPAA).

I've been through generic "HIPAA" audits by health plans and hospitals (the scare quotes are because outside of an OCR action, there's nothing that could be called an official HIPAA certification or audit) and PCI Compliance auditing, and PCI Compliance is a far more stringent process.

In general, if you conform to PCI (with sensible adjustments due to the differing risks -- disclosure of cardholder data vs disclosure of PHI), you will be far above usual practice for HIPAA Covered Entities and BAs.

2

PCI has overarching requirements (objectives) and detail about how to accomplish them (controls). HIPAA is limited to the overarching requirements and does not specify audit concrete details for being certified as security compliant.

In the world of HIPAA security compliance, implementing best practices to prevent improper disclosure of information is what's out there.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171