IT Risk & Compliance Assessment

For over 15 years, HIPAA has been regulating ePHI (electronic protected health information) applicable to healthcare providers, insurance providers, and medical clearinghouses.

In 2009, the HITECH Act extended the reach of the laws. With the passing of the final HIPAA Omnibus Rule of 2012, compliance is required for these covered entities and their vendors (business associates). Failure to comply can lead to criminal and civil penalties for covered entities and business associates.

PCI regulations provide guidelines that make sure organizations securely store and continuously monitor cardholder data. To make sure businesses always meet PCI standards and are capable of thwarting the latest cyberattacks, it is important to regularly assess and strengthen security controls.

PCI assessments include discovering cardholder information, accounting tech assets and processes used during payment card processing, and analyzing vulnerabilities. Businesses who fail to comply can be fined up to $100,000 per month.

Learn the PCI compliance facts for small businesses in our 3 Steps to Reliable PCI Compliance article.

Implemented on May 25, 2018, the GDPR regulates data processing, security, data access, privacy, and breach notifications for businesses dealing with the EU.

To ensure GDPR compliance, it is imperative to conduct regular assessments such as gap analysis, data protection impact assessment (DPIA), and policy framework review. Non-compliance to GDPR can result in fines in the millions of dollars or 4% of annual turnover.