Healthcare organisations have a compliance challenge that most industries don't face: two separate regulatory frameworks, covering different types of sensitive data, can apply to the same phone call.
A patient calls to pay their bill. That conversation might include their name, date of birth, treatment history, and insurance details — all protected health information under HIPAA. The same call then involves their credit card number, expiry date, and CVV — cardholder data under PCI DSS. Two data types, two compliance regimes, one call recording.
Understanding where HIPAA and PCI DSS overlap, and where they diverge, is essential for healthcare contact centres that want to handle both without creating gaps in either.
What HIPAA Covers
The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates. Its Privacy Rule and Security Rule govern how protected health information (PHI) is used, stored, and shared.
PHI includes any individually identifiable health information: names, addresses, dates, Social Security numbers, medical record numbers, diagnosis codes, treatment details, and billing information related to health services. If a piece of information could identify a patient and relates to their health, it's PHI.
HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect PHI. It governs who can access PHI, how it's transmitted, and what happens when there's a breach. Penalties range from $100 to $50,000 per violation depending on the level of culpability, with annual caps in each category.
What PCI DSS Covers
The Payment Card Industry Data Security Standard applies to any organisation that processes, stores, or transmits payment card data. It's a contractual requirement imposed by the card networks (Visa, Mastercard, Amex, and others) rather than a law, but the consequences of non-compliance — fines, increased transaction fees, and loss of the ability to accept card payments — are serious.
PCI DSS covers cardholder data: the primary account number (card number), cardholder name, expiry date, and service code. It also covers sensitive authentication data including the CVV/CVC security code. The standard sets requirements for network security, access control, monitoring, testing, and information security policies.
Where They Overlap
Several principles run through both frameworks:
- Access control. Both require that access to sensitive data is restricted to those who need it. HIPAA's minimum necessary standard and PCI DSS's need-to-know principle say the same thing in different language.
- Encryption in transit. Both require that sensitive data is encrypted when transmitted across networks. A call recording transmitted to a cloud storage system needs to be encrypted regardless of which framework you're thinking about.
- Audit logging. Both require records of who accessed what and when. HIPAA requires audit controls as a technical safeguard; PCI DSS Requirement 10 mandates logging and monitoring of all access to network resources and cardholder data.
- Breach notification. Both impose notification obligations when sensitive data is compromised. HIPAA's breach notification rule and PCI DSS's incident response requirements are different in detail but similar in intent.
- Third-party risk management. Both require that vendors and business associates who handle sensitive data on your behalf meet appropriate security standards. PCI DSS's service provider requirements and HIPAA's Business Associate Agreement (BAA) requirements address the same underlying risk.
Where They Diverge
Despite the overlaps, there are meaningful differences in approach and scope.
HIPAA is a US federal law with statutory penalties enforced by the Department of Health and Human Services Office for Civil Rights. It applies specifically to healthcare entities and their business associates. Compliance isn't optional and can't be contracted away.
PCI DSS is a contractual standard set by a private industry body (the PCI Security Standards Council). Compliance is enforced through your merchant agreement with your acquiring bank. Different merchant levels face different assessment requirements — large merchants need a Qualified Security Assessor (QSA) to validate compliance; smaller merchants may self-assess using a Self-Assessment Questionnaire (SAQ).
HIPAA has no equivalent of PCI DSS's tiered merchant levels. All covered entities face the same core requirements regardless of size, though the Office for Civil Rights exercises discretion in how it enforces against smaller organisations.
The data types are also distinct. HIPAA covers a much broader category of information — essentially anything identifying that relates to health. PCI DSS is precisely scoped to payment card data. A patient's diagnosis is irrelevant to PCI DSS. A card number is irrelevant to HIPAA (though billing information related to health services may be PHI).
The Call Recording Problem in Healthcare
Here's where the practical challenge bites for healthcare contact centres: you need call recordings, and those recordings are a compliance landmine.
You need recordings for clinical quality monitoring, dispute resolution, staff training, and regulatory compliance. HIPAA doesn't prohibit recording — recordings of patient conversations can be legitimate PHI, handled under appropriate safeguards.
But when a patient pays their bill during the same call, their card data enters that recording too. Now you have a recording that contains both PHI (protected under HIPAA) and cardholder data (prohibited from storage under PCI DSS, specifically the CVV).
PCI DSS Requirement 3.2.1 is explicit: sensitive authentication data — including the CVV — must not be stored after authorisation, even if encrypted. A call recording that captures a customer reading their CVV aloud is a PCI violation, full stop, regardless of how securely you store the recording itself.
Pause and resume — manually stopping the recording during card capture — is one response to this. But it creates gaps in your recordings, complicates HIPAA compliance monitoring, and relies on agents doing the right thing every time. If an agent forgets to resume, or resumes before the patient has finished, you have a problem.
How DTMF Masking Addresses Both Frameworks
DTMF masking solves the call recording problem cleanly. When a patient is prompted to enter their card details using their phone keypad rather than reading them aloud, the card data never enters the audio stream at all. The recording captures a series of flat beeps instead of spoken digits.
This means:
- The recording stays running throughout the call. There are no gaps, no pauses, no missing sections. Your HIPAA quality monitoring works as normal.
- Card data — including the CVV — never appears in the recording. PCI DSS Requirement 3.2.1 is satisfied without requiring the agent to manually intervene.
- Patient data and payment data are effectively isolated within the same call. The recording contains the conversation but not the card details.
This is particularly valuable in healthcare because the clinical quality of the full call matters. A recording with a 90-second gap during the payment step is harder to use for training or dispute resolution than one that captures the entire interaction.
What Healthcare Organisations Should Be Asking Their Telephony Vendors
If you're evaluating payment solutions for a healthcare contact centre, the key questions are:
- Does card data ever enter our call recordings? If the answer is yes (or "it depends on agents following the process"), that's a PCI risk you need to quantify.
- Does the payment solution maintain a continuous recording? Gaps in recordings create HIPAA monitoring gaps.
- Can you provide an AOC (Attestation of Compliance) as a service provider? If your payment vendor is handling cardholder data on your behalf, you need documented evidence of their compliance.
- How does the solution handle BAA requirements? If the vendor's systems ever process PHI, they need to sign a Business Associate Agreement.
A Note on Scope Reduction
One of the benefits of DTMF masking in healthcare settings is that it reduces the scope of your PCI DSS obligations. If card data never enters your contact centre infrastructure — because the customer keys it directly into a secure payment channel — then your call recording systems, your agent workstations, and your contact centre network are all outside PCI scope.
That matters because PCI scope reduction simplifies your annual compliance assessment, reduces the controls you need to implement across your environment, and reduces the number of systems that need to be included in vulnerability scanning and penetration testing.
It doesn't reduce your HIPAA obligations — PHI scope is defined differently and is harder to reduce — but it does mean you're not trying to manage two overlapping compliance scopes for the same infrastructure.
Getting the Balance Right
Healthcare contact centres have genuinely complex compliance requirements. HIPAA and PCI DSS were written by different bodies, at different times, with different enforcement mechanisms, and they don't fit together perfectly.
The practical approach is to understand where each framework's requirements apply, address the call recording problem properly (DTMF masking rather than pause and resume), and work with vendors who understand healthcare compliance and can provide the documentation — AOCs, BAAs, compliance certificates — that your own compliance programme needs.
Paytia works with healthcare organisations that need to handle patient payments over the phone while meeting both HIPAA and PCI DSS requirements. If you want to talk through your specific situation, get in touch.
