The document outlines the importance of a team approach to compliance with regulations such as HIPAA, PCI, and GDPR, emphasizing the roles of IT staff and a designated compliance officer. It stresses the necessity for ongoing employee training, clear communication, and multi-departmental collaboration to ensure adherence to compliance practices. Overall, successful compliance requires active participation from all employees and the support of a managed service provider.

1. COMPLIANCE IS A
TEAM PROJECT

2. Compliance
With all the rules and regulations surrounding the compliance alphabet soup in play today,
it will take more than one person to bring your company in line. We’ve laid out the multiple
roles needed to up your compliance game, especially when it comes to Health Insurance
Portability and Accountability Act (HIPAA), PCI compliance, HITECH Act and General
Data Protection Regulation (GDPR). These are rule sets that apply to everyone and are
national standards.

3. HIPAA
Take HIPAA for example. HIPAA ensures
the confidentiality of anything involving a client’s
health records. If you think about it from the client’s
perspective it’s a pretty scary thought that your medical
records could be exposed for all to see. That’s why the
Department of Health and Human Services have
worked so hard to keep client safety regulated.

4. IT Team
Your first line of defense against compliance failures is
the technology in use and the team you have to
maintain it. Consult with your IT team to discuss:
Email Encryption: How are emails and files that go in
and out of your office protected from falling into
nefarious hands and revealing identifying private
information?
Data Encryption: How do you collect and retain credit
card information? Are there any gaps where that
information could be stored?
Firewall: Are you protecting your company data and
communications using a screen door that is easily
opened by hackers, or are you using a multi-level
security system preventing intrusions?

5. IT Team
◦ Backups: How often, when and where is your precious company
information backed up? Can you test your backups to prove that they
are effective? Is your current backup plan compliant with regards to
customer data which needs to be encrypted at rest for HIPAA
◦ Data Availability and Storage: Who has access to your data? Only
certain individuals in your company should be able to access all data,
such as, financial records or payment information. How are you
restricting access on your network or within line of business
applications to ensure safety?
◦ Physical Access: Who can actually, physically, access computer
systems and servers and walk out the door with them? Do you train
your staff to lock their screens every time they leave their desks? Are
you using privacy filters on appropriate screens to avoid wandering
eyes?

6. While this may not need to be a full-time role
within your organization, you should have a
compliance champion on staff. Your Managed
Service Provider (MSP) can absolutely set you
up for success, but they are not around to
police your staff every hour of the workday.
Internal
Compliance
Officer

7. Internal Compliance Officer
The Compliance Officer is responsible for ensuring that your staff follows
important compliance policies, maintains vigilance surrounding
compliance, keeps documentation up to date, and works with authorities if
necessary. Specifically, they:
◦ Watch for employees falling into bad habits, like leaving computers
unlocked or sending credit card data willy-nilly throughout the
organization.
◦ Conduct/coordinate online or in-person training to keep compliance top
of mind. We recommend quarterly training, at least, in addition to
proper education as soon as a new employee comes on board.
◦ Maintain all the documentation required for compliance, like backup
plans and communication standards.
◦ Liaison with federal and state regulators, as necessary to prevent or
mitigate an issue (with the support of your IT Team and legal team).

8. All Employees
You can have the best technology, the most intense compliance officer, and still
completely fail at compliance if your employees are not onboard. At the end of
the day, it comes down to successful employee implementation and clear
communication. In order to get employee buy-in, here is what we recommend:

9. All Employees
Gather everyone together: When you first make tweaks
to your company’s security protocols to ensure
compliance, explain why to your team. If they suddenly
all need to remember 16-character passwords, replace
those passwords every 90 days and have 5-minute time
outs on their systems; they’d appreciate understanding
that it’s not because you’re paranoid. You can utilize
your IT Team to conduct this meeting.
Send regular reminders: It’s simple to fall into what’s
“easier” rather than compliant. Consider sending a
weekly or monthly compliance tip to all of your staff to
keep it top of mind.

10. All Employees
Conduct ongoing trainings: These trainings
should be mandatory, involve your IT team,
and vary enough to stay interesting.
Quarterly should be sufficient unless some
regulation change calls for additional
meetings.
Multi-departmental planning: Different
teams have different uses for data. For
example, what makes the salesperson tick
may make it impossible for accounting to
operate within compliance. When it comes
to collecting information that must be
compliant, every department must be
involved in process development to create
smooth operation within rules and
regulations.

11. Compliance is not a one-person game. It involves the whole company and
IT team engagement to really be successful. If you’d like to learn more about
how a Managed Service Provider (MSP) can ensure your compliant at all
times, contact The TNS Group today.