Data Compliance

From HIPAA and Data Privacy to PCI Compliance, we do the work to make compliance easy for you. We are certified in key regulations and follow clearly defined processes to identify gaps, resolve issues, avoid fines, and continue credit card payment options, and meet controls requirements.

HIPPA and HITECH Compliance

With a growing reliance on information technology in the Healthcare Industry and the adoption of electronic medical records (EMR), ensuring the safe handling of sensitive data is crucial. The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules define requirements for the appropriate use and safeguarding of protected health information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act provisions, which were enacted as part of the American Recovery and Reinvestment Act in February 2009, include updates to the HIPAA Standards and were enacted to strengthen the privacy and security of health information.
The HIPAA Security Rule’s requirements are organized into three categories: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Within these categories are 18 standards and 36 implementation specifications. Implementation specifications are further categorized into “Required” and “Addressable”. Required specifications are critical and must be implemented. Addressable specifications are considered scalable based on the individual needs and practices of an entity. The Security Rule’s focus is on the safeguarding of electronic Protected Health Information (e-PHI).
While the Security and Privacy Rule both share the common goal of safeguarding Protected Health Information (PHI), the Privacy Rule applies to all media types including paper, oral, and electronic. The Privacy Rule requires organizations to consider the confidentiality, integrity, and availability of PHI. Further, procedures need to be in place to address the use and disclosure of PHI, notice of privacy practices, and minimum necessary approach to using PHI.
Staghorn Technology Group can perform an assessment to evaluate an organization’s compliance with the HIPAA Security and Privacy Rule requirements, HITECH Act provisions (i.e. breach notification), as well as, your overall security and data privacy posture.

PCI COMPLIANCE

If you’re looking to accept credit cards online, you need to meet certain payment card security standards, known as PCI compliance, to protect your customers’ information.

What is PCI compliance?
Payment Card Industry (PCI) security standards are minimum requirements for protecting your customers’ payment card information. Adopted by Visa, MasterCard, American Express, Discover Card, and JCB, PCI compliance is required for all merchantsregardless of sizethat store, transmit, or process payment card information.Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Most Common myths about PCI Compliance:
1. Myth: I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
Fact: This is a common misunderstanding with the standard, that small merchants handling only one or a few credit cards a year are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism – then you need to be complaint.
2. Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
3. Myth: You only have to be PCI compliant with the majority of criteria.
Fact: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not PCI compliant. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It’s just good business.
4. Myth: I only need to protect my credit card data, not ATM debit card related data.
Fact: Incorrect – both are required. Many debit cards are dual-purpose ‘signature debit’, which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.
5. Myth: I can wait until my business grows.
Fact: Incorrect – the PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be PCI compliant, the fines and the compensation requirements by the banks (it typically costs between $50 and $90 to replace one card) could be substantial.

Staghorn Technology Group is here to help you navigate the PCI standard and meet the expectations of your program sponsor (such as your acquiring bank or processor) and the card brands (Visa, MasterCard, American Express and Discover), as quickly and efficiently as possible.

Turn Your Business Dreams Into Reality