What is Compliance (and why you should care)?
As a company leader, you found that compliance is time-consuming and annoying. You also discovered it’s confusing and an expensive part of owning a business. But the most important thing you remember? Ignoring your industry’s regulatory compliance obligation has become complicated and harder to avoid. You also found proactive attention minimized your operational costs. That approach has protected your business investment, reputation, and kept you from getting fined or shut down.
But not every business owner or decision-maker takes the necessary steps you took. And rightly so, when you ask these individuals if they are compliant, they’ll tell you they don’t know which one applies. So, they do nothing to stay informed, or those who are responsible for compliance have dropped the ball on their regulatory duties. For that reason, it’s time to provide you with information you can pass along to your team or business peers you meet with frequently.
What is Business Compliance?
Compliance itself is obeying a command or rule. In an industry governed by regulatory guidelines, business compliance is obeying a law, regulation, statute, policy, standard, or specifications. Non-compliance to the governing body will always result in some form of disciplinary action, i.e., fines, imprisonment, loss of revenue, business closure, or a mixture of those mentioned.
So, when you are explaining business compliance, remember, the person on the other side of the table may not have your knowledge or experience on this topic. That peer may know little or is somewhat familiar with their current industry standards like HIPAA, PCI, NIST & GDPR. However, most companies fail to realize which guidelines apply to them.
How Would Non-Compliance Affect An Organization?
Let’s briefly look at HIPAA. It seems pretty clear cut, right? If you are not a Doctor or a hospital, you don’t need to pay attention to it. If you spoke to someone at the U.S. Department of Health & Human Services (HHS.gov), you would get a different answer. Also, several industries, once deemed not required to comply, now fall under the “Business Associate” category of HIPAA, i.e., Legal, Financial & Consulting. These, too, will sign a Business Associate Agreement with the medical establishment.
That means traditional medical companies need to make sure their vendors are following HIPAA guidelines. As a result, we encounter more vendors coming to us for their compliance needs because HIPAA is showing up as an RFP or bid requirement. So remember, without compliance, that vendor is not allowed to bid on a job, let alone provide ongoing service. But, to take it a step further, newer compliance standards like CMMC are now required in the government contracting projects to conduct business.
What Industries Are Required to Sign A Business Associate Agreement?
It might surprise you, but when a vendor, as a 3rd party, is to conduct business within the medical industry, signing a Business Associate Agreement (BAA) is expected. Not every company is considered a Business Associate and are not required to sign such documentation.
Vendors commonly required to sign a BAA:
- Cloud/IT Data Base CRM Providers
- Answering Services Billing
- Lawyers/Legal Firm Insurance Providers
- Medical Labs Medical Transportation Services
- Appointment Reminder Notifications Shredding Services
Vendors not commonly required to sign a BAA:
- Janitorial Services Website Hosting
- Medical Waste Services Developers
- Business Consultants Direct Mail Companies
What is PCI Compliance?
Payment Card Industry (PCI) data security standard seems pretty straightforward. That standard regulates companies that accept credit cards. Here are critical points a business owner or decision-maker needs to remember. Only occasionally taking credit cards as payment; your business is still required to follow PCI. Even if you only received one credit card payment in a year.
A common misperception is that the credit card processor “handles” or is responsible for your compliance. That is partially correct. However, most processors offer a compliance service (which most customers decline). In the event of a breach, the processor can show full compliance at their end. But you will still be responsible if the cyber breach came from your internal systems. (Think about that time you called in to pay for something, and the person on the other end verbally took down your credit card number. Did they write it down?).
What Should You Know About Cyber Security Laws?
In addition to industry regulations, each state has its cybersecurity laws in place and enforced. Those statutes will impose significant fines and often require a full audit and notifying all exposed parties (paid for by you, the owner). Some states (like New York) require you to follow their cyber laws if you have clients that operate in their jurisdiction. As you can see, following all these different regulations can quickly become time-consuming and confusing.
What Should You Know About Cyber Security Insurance?
The last compliance component factor is cybersecurity insurance. Like most insurance policies, cybersecurity insurance started simple and has become more sophisticated as technology has improved and adapted. Making sure your current IT infrastructure matches your insurance guidelines is critical to helping assure payment of claims when they happen.
As we end this article, this information fully prepares you to discuss compliance with your peers and colleagues or with us. Advantage Industries takes compliance and security very seriously. Contact us today to determine which guidelines you need to follow and help you create a budget to protect your business.