Double Compliance

hipaa_compliant_seal    vs          pci-seal

I haven’t ever been bound by HIPAA or PCI regulations with the data I’ve managed. Those laws hadn’t been enacted when I worked in those industries, and so I’ve never had to go through an audit. I have been through ISO 9000 and SOX audits, and I found those audits to be both a pain and also a good idea. Various inconsistencies and exceptions in our policies were found, often strengthening our security or bringing more consistency (and stability) to our organization. Those two audits were also very close in scope and requirements. If we could pass one, we typically could pass the other.

However PCI and HIPAA are not the same, and you shouldn’t expect that passing one would mean you could pass the other. For most of us, we wouldn’t be bound by both of these, since they are applied to the financial and medical fields respectively. However as we look to move forward and use new partners in business, including cloud services, we should be aware that just because a company has one certification doesn’t mean they have the other. If your business partner is PCI complaint in some way, I wouldn’t assume that this means they are in any way HIPAA compliant, and vice versa.

Should we have standards for data protection that matter to a variety of industries? I’m not sure we should, despite the hassles that may mean for those of us bound by these regulations. Each industry and type of business has it’s own requirements, some of which are not applicable to other fields. Trying to build one standard for privacy, security, or any other requirement is likely to mean a watered-down, ill-fitting regulation that doesn’t protect any data well. Instead we should have specific requirements we need to meet to provide security (or any other need), without specifics on the technology or implementation used.

Most of you probably don’t like the idea of any regulation, and I’d like to agree with you. However I’ve seen too many people ignore good practices, engage in morally debatable activities, and in general treat other people, and data, in a way they wouldn’t want to be treated themselves. A little regulation, that limits abuses and gross malpractices is a good thing. Too much regulation, specifying details that are often obsolete before they can be enforced, is a bad idea.

Steve Jones


The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.