As a small business owner, there are many unique challenges you must face. One of these is dealing with the vague and confusing requirements present in current HIPAA and PCI-DSS legislation. With complex regulatory messaging, if you assume without truly “knowing” you can land your business in some trouble with regulators. Of course this is something you would like to avoid.
The HSS office for Civil Rights receives over 1000 complaints related to HIPAA violations every single year. When it comes to PCI-DSS, almost 70% of business aren’t currently compliant. Maybe you feel like this is okay for your business to not be compliant since other business aren’t following the rules, but let us assure you: this is a mistake. Putting your business at risk of being audited and likely penalized is not something we would recommend.
The Risks of Failing to Meet Minimum Compliance Requirements
If your business doesn’t prioritize compliance, you could face several issues which include:
- Significant penalties – HIPAA violations can draw fines ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per calendar year of non-compliance.1 PCI-DSS can squeeze your budget too, with fines ranging from $5,000 to $100,000 per month.3
- Unwelcomed audits – Non-compliance can lead to unpleasant inspections and audits that can result in fines.
- Denial of your business liability insurance claims – You must be extra careful while selecting solutions for your business. Using a single non-compliant solution can cause your insurance provider to deny a liability insurance claim.
- Decline in your business reputation – It takes years to build a reputation and just minutes to ruin it. Don’t let your business fall into the pit of non-compliance.
- Imprisonment or forced closure – In cases of severe non-compliance, regulatory bodies can sanction the arrest of top executives or even close the business.
Are Your Existing Business Tools Compliant?
If you are unsure where to start, assessing your business tools — cloud, VoIP, email service, electronic file-sharing service, applications, etc. — is a good place to start. Here are a few ways to check your existing business tools for compliance:
- Does the tool use AES 256-bit encryption? It doesn’t matter if sensitive data like electronic Protected Health Information (ePHI) is at rest or in transit. Encryption is required by HIPAA.
- A tool with proper access controls ensures those who genuinely need sensitive data can access it. What’s your tool’s access control policy?
- Is there automatic log-off in place if no user activity is detected over a specified timeframe? HIPAA requires this in order to safeguard high-risk data.
- Were the default passwords during the initial setup changed after installation? PCI-DSS specifies the importance of changing passwords to keep threats at bay.
- Are inactive user accounts removed or frozen after the warning period? Inactive accounts are easy targets for attacks.
- Does your tool store, retrieve or transmit cardholder information? If so, it must have the newly mandated version of the Transport Layer Security (TLS) protocol.
These lists are not comprehensive and only scratch the surface. Also, none of the points mentioned above ensure the tool is HIPAA or PCI-DSS compliant. Just consider it a starting point.
If you’re confused about what your next steps should be, don’t worry. TechSeven Partners is here to help. Use our expertise in compliance matters to conduct a comprehensive assessment of your business’s current state of compliance. Contact us now to learn more.