Healthcare organizations that accept card payments operate under two overlapping compliance frameworks: PCI DSS, which protects cardholder data, and HIPAA, which protects patient health information. Most organizations achieve PCI compliance and assume they’ve handled the payment security piece. That assumption is wrong. This guide explains where the two frameworks overlap, where they diverge, and what a dual-compliance payment setup requires.
ConvesioPay addresses both PCI and HIPAA requirements for healthcare payment processing. Built on Convesio’s HIPAA-compliant infrastructure, with BAAs available for healthcare accounts. Talk to our team →
1. What Each Framework Covers
| PCI DSS | HIPAA | |
|---|---|---|
| What it protects | Cardholder data: card numbers (PAN), CVV, expiration dates, cardholder names | Protected Health Information (PHI): individually identifiable health information in any form |
| Who sets the standard | PCI Security Standards Council (Visa, Mastercard, Amex, Discover, JCB) | HHS — Department of Health & Human Services |
| Who enforces it | Card brands through acquiring banks; fines and processing termination | HHS Office for Civil Rights; civil and criminal penalties |
| Who must comply | Any entity that stores, processes, or transmits cardholder data | Covered entities (providers, health plans, clearinghouses) and their business associates |
| Maximum penalties | Up to $100,000/month for non-compliance; processing suspension | Up to $1.9 million per violation category per year; criminal charges possible |
2. Where They Overlap
PCI DSS and HIPAA share several requirements, making simultaneous compliance more achievable:
- Encryption in transit — both require TLS for transmitting sensitive data over networks
- Access controls — both require limiting access to sensitive data to authorized individuals
- Audit logging — both require logs of who accessed sensitive data, when, and what actions were taken
- Vulnerability management — both require keeping systems patched and protected against known vulnerabilities
- Physical security — both require securing systems that process sensitive data from unauthorized physical access
A well-designed security program can satisfy both frameworks simultaneously rather than maintaining two separate compliance programs.
3. Where They Diverge
The critical divergence: PCI DSS does not address PHI, and HIPAA does not address cardholder data specifically. A healthcare organization can be fully PCI compliant and still violate HIPAA through its payment processes.
HIPAA-specific requirements that PCI DSS doesn’t cover:
- Business Associate Agreements — HIPAA requires executed BAAs with vendors who handle PHI. PCI DSS has no equivalent.
- Minimum necessary standard — HIPAA requires limiting PHI to only what’s necessary for the purpose. PCI focuses on cardholder data minimization, not clinical data.
- Patient rights — HIPAA grants patients rights to access and correct their PHI. PCI has no patient-facing rights requirements.
- Breach notification — HIPAA requires notifying affected individuals, HHS, and potentially the media after a PHI breach. PCI has different notification requirements focused on card brands and banks.
- Workforce training — HIPAA requires documented HIPAA training for staff. PCI requires security awareness training, but with different content requirements.
PCI DSS-specific requirements that go beyond HIPAA:
- Card data environment segmentation — PCI requires network segmentation of systems that process cardholder data
- Penetration testing — PCI requires regular penetration tests of cardholder data environments
- File integrity monitoring — required for critical system files in the cardholder data environment
- Specific password complexity rules — PCI specifies minimum password requirements for systems in scope
4. The BAA Gap: Why Most Standard Processors Fail Healthcare
The most consequential compliance gap for healthcare organizations using standard payment processors is the absence of a Business Associate Agreement. A processor that won’t sign a BAA cannot legally handle PHI under HIPAA, regardless of how secure their technical infrastructure is.
Stripe, PayPal, and Square do not sign BAAs for standard merchant accounts. This means:
- Any payment transaction that associates a charge with a patient’s medical record involves PHI
- That PHI is being processed by a vendor with no BAA
- This is a HIPAA violation regardless of whether a breach occurs
The fix is not to switch to a more technically secure processor, it’s to use a processor that will sign a BAA.
5. Dual Compliance in Practice: A Checklist
| Area | PCI requirement | HIPAA requirement | Status |
|---|---|---|---|
| Processor agreement | Standard merchant agreement | BAA required | Check both |
| Hosting | PCI-compliant server environment | HIPAA BAA with hosting provider | Check both |
| Encryption in transit | TLS 1.2+ required | Encryption required for PHI | Shared requirement |
| Access controls | Least-privilege for cardholder data | Minimum necessary for PHI | Shared principle, separate scope |
| Audit logs | 12 months retention required | 6 years retention required | Use 6-year retention to satisfy both |
| Breach notification | Notify card brands, acquirer | Notify individuals, HHS (within 60 days) | Separate processes required |
| SAQ/Risk Assessment | Annual SAQ completion | Ongoing risk analysis | Separate documents |
6. How ConvesioPay + Convesio Addresses Both
ConvesioPay is built on Adyen’s infrastructure, which maintains PCI DSS Level 1 certification, the highest level of PCI compliance, subject to annual on-site audit by a Qualified Security Assessor. Using ConvesioPay’s embedded checkout widget keeps WooCommerce merchants in SAQ A-EP territory (card data captured on Adyen’s servers, not yours).
For HIPAA:
- ConvesioPay offers BAAs for healthcare merchant accounts
- Convesio’s HIPAA-compliant WordPress hosting provides a BAA for the infrastructure layer
- Together, they cover both the payment and hosting layers under properly executed BAAs
For more on PCI compliance specifically, see PCI Compliance for Small Business: What You Actually Need to Do. For HIPAA payment requirements, see HIPAA Compliant Payment Processing: The Complete Guide.
One provider, both frameworks covered. ConvesioPay + Convesio HIPAA hosting provides BAAs for both payment processing and infrastructure, the complete dual-compliance stack for healthcare organizations. Talk to our team →