Combining PCI and HIPAA Audits

by Sarah Harvey / March 16th, 2020

We get a lot of questions about PCI and HIPAA audits. There’s legislation and complicated requirements behind these frameworks, so what happens when your company is required to obtain both types of compliance? Are you able to consolidate both audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project, including PCI and HIPAA. Let’s talk through why and how you would take on the project of a combined PCI and HIPAA audit.

What are PCI and HIPAA Audits?

Before we discuss how to go through a combined PCI and HIPAA audit, let’s review what each of these types of audits are.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS is a rigorous framework that consists of nearly 400 individual controls. PCI compliance is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

The integrity of the healthcare industry relies on keeping data secure and patients safe. This, in part, was why HIPAA was created. HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.

Why a Combined PCI and HIPAA Audit?

Depending on your services, both PCI and HIPAA compliance may be required of your organization – and when multiple types of compliance are required of you, it’s important to know that a combined PCI and HIPAA audit is an option.

Protecting cardholder data as well as protected health information is a difficult task, but compliance in these areas will ensure your organization is doing its due diligence. Healthcare is one of the most at-risk industry for data breaches, and the most expensive. In 2019, IBM reported that the average cost of a data breach in healthcare is $6.45 million, totaling out at $429 per record. Plus, once you’ve had a data breach, you’re more likely to have abnormal customer turnover – 8% in healthcare. In the financial services industry, the average cost of a breach is $5.86 million. Don’t you want to do every test and assessment possible to keep your organization from falling into these statistics?

Using the Online Audit Manager

Our goal is to make PCI and HIPAA reports more accessible to organizations who are being asked for them, so in order to complete a combined PCI and HIPAA audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and capital. Completing a combined PCI and HIPAA audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More PCI and HIPAA Resources

4 Reasons to Start a PCI Audit Right Now

HIPAA Compliance Checklist

Using the Online Audit Manager to Complete Multiple Audits