IT Compliance for Small Business: HIPAA, GDPR, and CCPA Without the Lawyer Bill

Compliance is the word that makes small business owners' eyes glaze over. It sounds expensive, complicated, and like something that only matters for large corporations. Then a breach happens, a regulator asks questions, or a contract requires a compliance attestation — and suddenly it matters enormously.

The good news: most small businesses need to worry about a relatively short list of regulations, and the core requirements aren't that different from each other. If your IT support for small business is set up correctly, you're likely covering most of the technical requirements across all of them simultaneously.

Here's what each major regulation actually requires, who it applies to, and what you need to have in place.

HIPAA: Healthcare and Anyone Who Touches Health Data

HIPAA (Health Insurance Portability and Accountability Act) applies to two categories of businesses:

• Covered Entities: healthcare providers, health plans, healthcare clearinghouses — anyone directly involved in treating patients or processing health claims
• Business Associates: any company that handles Protected Health Information (PHI) on behalf of a covered entity — billing companies, IT providers, cloud storage vendors, transcription services, software vendors whose products store patient data

If you run a medical office, dental practice, physical therapy clinic, mental health practice, or similar — you're a covered entity. If you provide services to healthcare companies and your work involves patient records or data, you're likely a business associate.

What HIPAA Actually Requires from an IT Perspective

• Access controls — only authorized users can view patient data; unique user IDs, automatic log-off, encryption of data at rest and in transit
• Audit controls — logging who accessed what data and when, with records retained for at least 6 years
• Integrity controls — mechanisms to confirm data hasn't been altered or destroyed without authorization
• Transmission security — email encryption when sending PHI; HIPAA-compliant email platforms (not standard Gmail or Outlook without additional configuration)
• Risk analysis — a documented assessment of risks to PHI in your environment, updated when systems change
• Business Associate Agreements (BAAs) — written agreements with every vendor that touches PHI on your behalf, including your IT provider and cloud storage vendor

HIPAA Penalties

Civil penalties range from $100 to $50,000 per violation, with annual caps per violation category up to $1.9 million. Willful neglect with no correction: $10,000–$50,000 per violation. Criminal penalties for intentional misuse: up to $250,000 and 10 years imprisonment.

Regulators don't primarily go after large hospitals — small practices have paid significant fines. In 2024, a three-location dental practice paid $350,000 after a breach affecting fewer than 10,000 patients.

GDPR: If You Have Any Customers or Users in the EU

The General Data Protection Regulation applies to any organization that collects or processes personal data of EU residents — regardless of where your business is located. If you have a website that EU residents can use, you're potentially in scope.

For most small US businesses, practical GDPR exposure depends on whether you're actively targeting EU customers. A US-only business with an English-only website and no EU marketing probably has limited exposure. But any business with EU customers, EU website traffic, or EU suppliers who share employee data should take it seriously.

What GDPR Actually Requires

• Lawful basis for data collection — you need a documented reason for every type of personal data you collect (consent, contract fulfillment, legitimate interest, etc.)
• Privacy policy — written in plain language, explaining what you collect, why, how long you keep it, and who you share it with
• Data subject rights — you must be able to respond to requests to access, correct, delete, or export personal data within 30 days
• Data breach notification — notify the relevant supervisory authority within 72 hours of a breach; notify affected individuals "without undue delay"
• Data Processing Agreements — written agreements with vendors who process personal data on your behalf (your CRM vendor, email marketing platform, analytics tools)
• Appropriate security measures — encryption, access controls, regular security testing — proportional to the risk

GDPR Penalties

Up to €20 million or 4% of global annual turnover, whichever is higher. For small businesses, fines are typically proportional to size and severity of violation. Regulators have issued five-figure fines to small businesses for relatively basic violations like inadequate privacy notices.

CCPA / CPRA: If You Have California Customers

The California Consumer Privacy Act (updated by the California Privacy Rights Act) applies to for-profit businesses that meet any of these thresholds:

• Annual gross revenue over $25 million
• Buys, sells, or shares the personal information of 100,000+ California consumers or households per year
• Derives 50% or more of annual revenue from selling or sharing California consumers' personal information

Most small businesses won't hit these thresholds — but if you do significant volume in California or are growing toward these numbers, you should be aware of them.

What CCPA Requires

• Right to know — consumers can request what personal information you've collected about them
• Right to delete — consumers can request deletion of their personal information
• Right to opt-out — if you sell personal data, consumers can opt out via a "Do Not Sell My Personal Information" link
• Non-discrimination — you can't penalize consumers for exercising their privacy rights
• Privacy policy — disclosing categories of personal information collected and how it's used

PCI DSS: If You Accept Credit Cards

Every business that accepts credit card payments must comply with PCI DSS (Payment Card Industry Data Security Standard), regardless of size. There are four levels based on transaction volume, with different requirements for each.

For most small businesses, PCI compliance primarily means:

• Using a PCI-compliant payment processor (Stripe, Square, PayPal, etc. handle most of the compliance burden for you)
• Completing an annual Self-Assessment Questionnaire (SAQ) — typically a short online checklist
• Never storing raw card numbers or security codes in your own systems
• Keeping payment processing networks segmented from general business networks
• Maintaining a firewall and keeping systems patched

If you use a major payment processor and don't store card data yourself, your PCI exposure is relatively manageable. The biggest risk is businesses that have set up custom payment workflows that accidentally store card data.

The IT Requirements That Cover Most of This

Here's the practical good news: the technical requirements for HIPAA, GDPR, CCPA, and PCI DSS overlap significantly. Get these right and you're covering most of the technical basis for all four:

• Encryption — data encrypted at rest and in transit across all systems containing regulated data
• Access controls — unique user accounts, role-based access, multi-factor authentication, terminated employee accounts disabled immediately
• Audit logging — who accessed what and when, with logs retained per regulation requirements
• Patch management — systems kept current with security patches
• Backup and recovery — tested backups that meet recovery time requirements
• Incident response plan — documented procedure for detecting, responding to, and reporting a breach
• Vendor agreements — BAAs, DPAs, or equivalent agreements with vendors handling regulated data

A competent managed IT services provider who understands compliance should be able to document that your environment meets these controls. If your current IT provider can't tell you whether your systems are compliant or not, that's a gap worth addressing.

How to Know Which Regulations Apply to You

Start here:

1. Do you handle any patient health data, or work with healthcare companies? → HIPAA
2. Do you have customers, users, or website visitors in the EU? → GDPR
3. Do you have California customers and meet the revenue/volume thresholds? → CCPA/CPRA
4. Do you accept credit cards? → PCI DSS
5. Do you work with the federal government or handle federal data? → NIST 800-171 / CMMC

Multiple can apply simultaneously. A dental practice that accepts credit cards and has a website visible in the EU could be subject to HIPAA, PCI DSS, and GDPR at the same time.

Our free IT Compliance Checklist walks through the key requirements for each regulation and tells you where you stand. It takes about 10 minutes and covers HIPAA, GDPR, PCI DSS, and SOC 2.

What Happens If You're Not Compliant

Regulators primarily act in response to complaints and breaches. Most small businesses that operate without compliance infrastructure never face enforcement — until they have an incident. At that point, the absence of documented controls turns what might have been a manageable breach notification into evidence of willful negligence, which dramatically increases penalties.

Beyond regulatory risk, compliance gaps affect your ability to win enterprise contracts (many customers require compliance attestations), cyber insurance rates (insurers increasingly require demonstrable controls), and your own sleep at night.

If compliance feels overwhelming, the right move isn't to ignore it — it's to find outsourced IT services that include compliance expertise, so you're not navigating this alone.