HIPAA, HITECH, PCI Compliance Failures

Many businesses hold inaccurate assumptions on achieving and maintaining compliance in the face of complex regulations in their industry. Primarily, they assume compliance is a one time project rather than an ongoing process. Most often it is something they completed several years ago by using a piece of software or find and replace Word template. Unfortunately, more often than not businesses fail to see that compliance is an ongoing effort. Regulations such as HIPAA/HITECH, PCI, SOX, etc. are prime examples of continuous efforts. All of these regulations are dynamic, and change often requiring concerted efforts to maintain compliance. These also have requirements for the frequency with which you should review your compliance efforts. For example:


Health Insurance Portability and Accountability Act requires administrative, physical and technical safeguards to be in place to protect ePHI (electronic Protected Health Information). HIPAA requires much ongoing effort for changes in your risk exposure, termination of employee or even a data breach (among many other things). At a minimum to maintain compliance you should review your administrative, physical and technical safeguards on an annual basis if not more.


The Health Information Technology for Economic and Clinical Health ACT held provisions requiring ongoing audits. In essence healthcare providers and covered entities are required to actively monitor for breaches of ePHI or PHI (Electronic Protected Health Information or Protected Health Information). This assumes ongoing monitoring and review to show due diligence and maintain compliance.


Payment Card Industry Data Security Standard (PCI DSS) is a security standard that applies to any organization that accepts credit cards. This standard mandates you implement technical and audit requirements to protect from a data breach of cardholder data. A QSA (Quality Security Assessor) like Evolutionary IT helps companies create a ROC (Report on Compliance) which details compliance status and efforts. Organizations that suffer a data breach can be fined or held liable for losses should they be shown to have not taken adequate security controls. Again, this compliance isn’t a single one time effort but an ongoing effort on the part of the organization.

Compliance Process

I hope after these few examples you see how compliance isn’t a one time action or project but an on-going process. Beware of any organization out there that will sell you a solution that seems to good to be true and doesn’t account for the need to reassess your risk and compliance status. Unfortunately, there is no magic compliance solution but a qualified IT partner can keep you in compliance by actively maintaining it as a process. Have compliance concerns or question? Comment below or contact us. As always, feel free to join our newsletter for up to date tips on how to stay compliant.

3 thoughts on “HIPAA, HITECH, PCI Compliance Failures”

  1. A few years ago a friend of mine contacted Microsoft about some security issues with her computer. The man she spoke to did not speak English as his first native tongue. He went through her computer and was telling her to install all this stuff and delete other programs an IT specialist had her install. She finally said stop and told him she doesn’t want these changes being done. He then tried charging her for his time and for programs she needed. She came to find out that it was a fake corporation posing as Microsoft. Moral of the story is don’t trust anyone unless they verify who they are.

  2. I definitely agree! Compliance is apart of an ongoing system, which means it needs to be monitored, changed and updated when required and it is always constant. It’s not just something you achieve once, then let standards slip until you need to be reassessed.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top