Are you a covered entity under HIPAA regulations?
The following is a simple test for determining whethere or not you qualify as a provider and therefore must follow the HIPPA guidelines:
  • Does the person, business or agency furnish bill, or receive payment, for health care in the normal course of business?
  • If the answer is yes, does the person, business or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business or agency is a covered health care provider and must comply with all HIPAA regulations.
Who must comply with these new HIPAA privacy standards?
As required by Congress in HIPAA, the Privacy Rule covers:
  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See the fact sheet and frequently asked questions on this web site about the standards on "Business Associates" for a more detailed discussion of the covered entities' responsibilities when they engage others to perform essential functions or services for them.

Click here <http://hipaanews.org/checklist.htm>

I spoke to my provider and they say I am PCI Compliant?
The definition of compliance is: is an annual completed and submitted SAQ (self assessment questionnaire) by a QSA (qualified security assessor) and a Quartely Vulnerability scan by a ASV (approved scanning vendor by Visa, MC, Amex, Discover PCI security council), a signed attestation of PCI compliance. This only gets you compliant, does not protect in case of breach or fines, depending upon your connection to the networks and equipment may also be non-compliant depending upon age or encryption. PCIHIPAA protection package covers all of your PCI compliance issues.

How does HITECH Act affect HIPAA compliance for my practice?
Federal agencies will begin enforcing HIPAA compliance and fines for practices that do not have an Emergency Data Recovery Policy, HIPAA compliant data backup and a PCI data breach is also a HIPAA violation, avoid these fines today with a protection package from PCIHIPAA.

Why are so many healthcare practices vulnerable to data breach?
Healthcare practices and organizations have the most sensitive repositories of personal information of any industry. During the period of 2006-2007 alone, an estimated 1.5 million patient records were compromised. Unlike large corporations, small-to-medium-sized medical practices are an attractive target for hackers.

Isn’t it enough to be HIPAA compliant? Must I be PCI compliant, too?
Please keep in mind that HIPAA is not about the privacy and protection of data; it’s about the portability and accountability of patient data. That data includes financial records as well and all too often, that data is not adequately protected.

Is a financial data breach as serious as a patient health data breach?
Any data breach is serious. Under the PCI DSS, an organization that does not perform due diligence with respect to protecting data faces not only onerous fines but also the loss of card-processing rights. Imagine telling a patient (as you are required to do), “We do not accept credit cards for payment because we’ve experienced a data breach.” The negative publicity alone would be devastating.

What is the PCI DSS compliance standard?
The PCI Data Security Standard (PCI DSS) is a set of security and business requirements designed to ensure that companies that process, store or transmit credit card information maintain a secure environment.

The standard is administered by the PCI Security Standards Council, an independent body created by the main payment card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.). The council oversees the administration and management of the standard, which can be found on the PCI SSC’s website: www.pcisecuritystandards.org.

A U.S. or Canadian business (including medical practices) involved in processing, storing, or transmitting card numbers MUST be PCI DSS compliant or risk losing the ability to process credit card payments.

What do I need to do to be in PCI compliance?
The yearly Self-Assessment Questionnaire (SAQ), consisting of 75 questions that address 12 security requirements must be submitted to your processor. All questions must be honestly answered YES, even questions that seem to have no bearing on a particular merchant.

To comply with PCI DSS, you must possess a series of written security policies, procedures, employee handouts, and training aids all related to the secure handling and processing of credit card data. You must also enforce those policies with procedures in your organization and prove that you do so with proper logging and security trails.

Am I compliant if I hold an SSL certificate?
No. SSL certificates do not safeguard your web server from cyperbandits; they merely provide the first tier of customer security.

How tough are the penalties if we don’t comply?
They’re very tough. Failure to comply with PCI-DSS requirements can result in stiff contractual penalties or sanctions from members of the payment card industry, including:

  • Fines of $500.000 per data security incident
  • Fines of $50,000 per day for non-compliance with published standards
  • Liability for all fraud losses incurred from compromised account numbers
  • Liability for the cost of reissuing cards associated with the compromise
  • Suspension of merchant accounts
And this doesn’t even begin to touch on HIPAA fines and regulatory actions.

Why do you merge HIPAA and PCI compliance solutions together?
Any PCI breach is now a HIPAA violation as well. So it simply makes sense to offer the whole HIPAA/PCI solution.

The Payment Card Industry’s Data Security Standard (PCI DSS) is generations ahead of any other data protection regulation. It provides clear guidance, strong means for assessing adherence, a system for enforcement, and the flexibility to address real and current data threats. Most importantly, it is another major piece in the puzzle of complete HIPAA compliance.

I’m already talking to a HIPAA compliance firm. Why should I consider you?
Chances are, the company you’re speaking with does not offer PCI compliance solutions. Does the company credit card and other financial data protection? Does it come with SAS-70 certification? Remember, compliance company offerings are not apples-to-apples.

HOME    |   FAQ   |  CONTACT US   |   PRIVACY POLICY   |   TERMS & CONDITIONS   |   SITEMAP ©2010 WWW.PCIHIPAA.COM