Taking the Fear of Compliance Mistakes out of Regulatory Compliance
The phrase “regulatory compliance” often strikes fear in even the most seasoned executives, but it doesn’t need to be that way. Education and awareness are critical, so let’s look at the top two regulations that your company may need to think about – Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
What is Regulatory Compliance?
Regulatory compliance refers to the steps put in place by an organization to comply with state, federal, and international laws and regulations that are relevant to its business operations. If regulatory compliance is violated, there can be monetary and even criminal penalties that a company may incur.
Payment Card Industry Data Security Standard (PCI-DSS)
If your company directly accepts payments for goods or services through payment cards (VISA, AMEX, and Discover for example), you need to have a plan for PCI-DSS compliance.
PCI-DSS was established to prevent credit card fraud. This is accomplished by putting standardized controls (rules) in place at all merchants accepting cards. This is a good thing. It increases your customer’s confidence because they know you are actively working to protect their card data.
There are six control objectives required under PCI-DSS:
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
Let’s quickly break down each of the objectives:
1. Build and Maintain a Secure Network and Systems
Simply put, the company needs to have basic security in place. This means having a firewall and password-protected computers. Do not use default passwords on any systems or software.
2. Protect Cardholder Data
If you take orders over the phone, do not leave cardholder information on a notepad or sticky note. Preferably, the numbers would be directly entered into your terminal system or software and never stored, if possible.
3. Maintain a Vulnerability Management Program
Make sure you are using up-to-date anti-virus and anti-malware protection on all systems.
All operating systems must be current and patched. Third-party software must be up to date.
4. Implement Strong Access Control Measures
Limit access to and protect equipment used to process transactions. If you must write down card data, make sure it is shredded. Any systems used to process transactions must have their drive destroyed when decommissioning.
5. Regularly Monitor and Test Networks
Regular network scans, both internal and external, need to be performed regularly or whenever there is a change to systems or software.
6. Maintain an Information Security Policy
Establish and maintain an information security policy. Review this policy at least annually—train employees on security awareness and social engineering. Screen new employees to limit the incidence of internal breaches. Lastly, have an incident response plan in case of a data breach.
There are a lot of things to consider. If you need help understanding any of these controls, reach out to your IT Security Professional or Edge Networks.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA was passed into law to provide a framework to safeguard Protected Health Information (PHI).
PHI is defined as any piece of information in an individual’s medical records that could be used to identify them personally. Basic examples include name, social security number and date of birth. Many other identifiers are included, and these continue to evolve as more technology is used in healthcare.
If your company is healthcare-focused, then you are very familiar with HIPAA. Your company falls into a group called “covered entities”.
There are three main categories of covered entities: Health plans, Clearinghouses and Providers.
- Health plans include insurance companies, health maintenance organizations (HMOs) as well as employer-sponsored health plans.
- Clearinghouses are organizations that process health information to conform to the prevailing standards for data content or format. Clearinghouses act on behalf of other organizations.
- Providers include doctors, clinics, dentists, nursing homes, pharmacies and chiropractors, to name a few. Essentially any organization that submits healthcare-related claims to another covered entity.
You might feel a sense of relief when you notice that you are not on the list of covered entities. However, you may not be off the hook just yet. If you perform work for these organizations, you may be what is known as a business associate, and you must also be compliant. In this situation, you must enter into a contract called a Business Associate Agreement (BAA).
The BAA details what information your company has a responsibility to protect. A few examples of service companies considered business associates are shredding services, attorneys, accountants, marketing services, and transportation services. This is not an exhaustive list. Please check with legal counsel if you are unsure.
To ensure health data protection is taken seriously, there can be monetary penaltiess associated with unauthorized disclosure of PHI. Penalties are levied based upon severity and negligence of a given disclosure.
There are four HIPAA violation penalty tiers and associated monetary penalties:
- Tier 1 – A violation that the covered entity was unaware of and could not have realistically avoided, had someone take a reasonable amount of care to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000.
- Tier 2 – A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. Minimum fine of $1,000 per violation up to $50,000.
- Tier 3 – A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation up to $50,000.
- Tier 4 – A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation.
The penalties are adjusted for inflation annually.
Individuals involved in disclosures can also incur criminal penalties. These penalties are based on the severity and negligence involved in the disclosure. If an individual has profited from the theft, access or disclosure of personal health information (PHI), then those monies may also have to be forfeited in addition to the fine.
There are three tiers of criminal penalties for HIPAA violations:
- Tier 1 – Reasonable cause or no knowledge of violation – Up to 1 year in jail.
- Tier 2 – Obtaining PHI under false pretense – Up to 5 years in jail.
- Tier 3 – Obtaining PHI for personal gain or malicious intent – Up to 10 years in jail.
The value of PHI on the black market continues to increase. This has been a big temptation for some individuals given recent economic conditions. Social engineering and malware attacks are on the rise to gain access to this valuable data.
It is imperative that organizations subject to this Act take appropriate actions to reduce the risk of breaches.
Regulatory Compliance Matters
This is just a brief glimpse of the two main regulations that you may encounter in your business. It is best practice to review your compliance policies at least annually, and certainly when a change is made to the regulations.
If your company lacks in-house talent with the detailed knowledge needed to ensure compliance, we recommend that you consult with legal counsel. For the technical and operations aspects, you should reach out to a knowledgeable compliance and technology partner like Edge Networks to assist you with your journey into the compliance world. The investment will immediately begin to pay for itself because you just cannot put a price on your peace of mind. Contact us today for a free, 30-minute consultation.
