Many businesses hold inaccurate assumptions on achieving and maintaining compliance in the face of complex regulations in their industry. Primarily, they assume compliance is a one time project rather than an ongoing process. Most often it is something they completed several years ago by using a piece of software or find and replace Word template. Unfortunately, more often than not businesses fail to see that compliance is an ongoing effort. Regulations such as HIPAA/HITECH, PCI, SOX, etc. are prime examples of continuous efforts. All of these regulations are dynamic, and change often requiring concerted efforts to maintain compliance. These also have requirements for the frequency with which you should review your compliance efforts. For example:
Health Insurance Portability and Accountability Act requires administrative, physical and technical safeguards to be in place to protect ePHI (electronic Protected Health Information). HIPAA requires much ongoing effort for changes in your risk exposure, termination of employee or even a data breach (among many other things). At a minimum to maintain compliance you should review your administrative, physical and technical safeguards on an annual basis if not more.
The Health Information Technology for Economic and Clinical Health ACT held provisions requiring ongoing audits. In essence healthcare providers and covered entities are required to actively monitor for breaches of ePHI or PHI (Electronic Protected Health Information or Protected Health Information). This assumes ongoing monitoring and review to show due diligence and maintain compliance.
Payment Card Industry Data Security Standard (PCI DSS) is a security standard that applies to any organization that accepts credit cards. This standard mandates you implement technical and audit requirements to protect from a data breach of cardholder data. A QSA (Quality Security Assessor) like Evolutionary IT helps companies create a ROC (Report on Compliance) which details compliance status and efforts. Organizations that suffer a data breach can be fined or held liable for losses should they be shown to have not taken adequate security controls. Again, this compliance isn’t a single one time effort but an ongoing effort on the part of the organization.
I hope after these few examples you see how compliance isn’t a one time action or project but an on-going process. Beware of any organization out there that will sell you a solution that seems to good to be true and doesn’t account for the need to reassess your risk and compliance status. Unfortunately, there is no magic compliance solution but a qualified IT partner can keep you in compliance by actively maintaining it as a process. Have compliance concerns or question? Comment below or contact us. As always, feel free to join our newsletter for up to date tips on how to stay compliant.