Person holding and reviewing a credit card authorization form inside a blue folder on a couch.

HIPAA, PCI DSS, and Cybersecurity Compliance: A Plain-English Guide for Triad Businesses

June 30, 2026

Your dental practice just switched to a new cloud charting platform — but did anyone verify that the vendor signed a Business Associate Agreement before patient records started flowing through it? That single oversight is one of the most common compliance failures Merit Technology Solutions sees across the Triad. Cybersecurity compliance for small businesses in the Triad is not a paperwork project — it is an ongoing IT operations responsibility, and two federal frameworks define exactly what is required.

Two Laws, One Big Risk: Why Triad SMBs Can't Afford to Wing It

HIPAA — the Health Insurance Portability and Accountability Act — governs any business that handles protected health information (PHI), meaning individually identifiable health data. PCI DSS — the Payment Card Industry Data Security Standard — governs any business that stores, processes, or transmits credit card data. Both apply to ordinary Triad businesses.

Why Compliance Gaps Stay Hidden

Neither framework sends a warning when you drift out of compliance. Gaps become visible only when an auditor asks for documentation you do not have, or when a breach forces a regulatory investigation. The dental charting scenario above is not hypothetical — it is a recurring pattern Merit Technology Solutions encounters in practice onboarding reviews.

This post covers what HIPAA and PCI DSS each require at the IT level, where Triad businesses most commonly fall short, the real financial penalties involved, and how a local managed IT partner turns compliance from a one-time checklist into a repeatable process.

HIPAA in Plain English: What Covered Entities and Business Associates Actually Have to Do

HIPAA's Security Rule requires covered entities — healthcare providers, health plans, and clearinghouses — and their business associates — any vendor or partner who touches PHI — to implement three categories of safeguards: administrative, physical, and technical. Failing any category is a violation regardless of practice size.

Business Associate Agreement (BAA): A signed contract required by HIPAA between a covered entity and any vendor who accesses, stores, or transmits PHI on that entity's behalf.

Administrative Safeguards

  • Risk analysis: A documented, dated assessment of threats to PHI — required at least annually and whenever the environment changes significantly.
  • Workforce training: Staff must be trained on HIPAA policies; training records must be kept.
  • Access controls: Employees get access only to the PHI their role requires — nothing more.

Physical Safeguards

  • Workstation policies: Screens must lock automatically; unattended front-desk PCs visible to patients are a documented risk.
  • Device disposal: Hard drives must be wiped or destroyed before equipment leaves the practice.

Technical Safeguards

  • Encryption: PHI must be encrypted at rest and in transit.
  • Audit logs: Systems must log who accessed PHI, when, and from where.
  • Automatic logoff: Sessions must time out after a defined period of inactivity.

The BAA requirement extends further than most owners realize. The EHR vendor must sign one. The cloud backup provider must sign one. The MSP must sign one. Dental practices in the Triad and medical staffing agencies are both covered entities or business associates — and both are subject to every safeguard listed above. A departed employee whose Active Directory account was never disabled is a technical safeguard failure with a paper trail straight to your door.

PCI DSS in Plain English: What Every Business That Takes Cards Needs to Know

PCI DSS is a security standard maintained by the major card brands that applies to any business accepting card payments. Most Triad small businesses fall into Merchant Level 4, which covers fewer than 20,000 e-commerce transactions per year and requires an annual Self-Assessment Questionnaire (SAQ) plus quarterly vulnerability scans.

The Flat-Network Problem

A professional services firm in Kernersville running a flat network — where the point-of-sale (POS) terminal shares the same subnet as employee laptops — is a PCI DSS violation waiting to materialize. PCI DSS requires network segmentation, meaning the card-processing environment must be isolated from the general business network. "We use Square or Stripe" does not eliminate this requirement; it reduces scope, but the network carrying that traffic still must be secured.

The Four Operationally Critical PCI DSS Requirements

  • Network segmentation: POS terminals must be on an isolated network segment, separated from general office traffic.
  • Quarterly vulnerability scans: External scans performed by an Approved Scanning Vendor (ASV) are required for most merchant levels.
  • Strong password policies: Default vendor passwords must be changed; privileged accounts must use complex credentials.
  • Annual Self-Assessment Questionnaire: The SAQ documents your compliance posture — and signing one you cannot actually support is itself a liability.

Merit's cybersecurity services address network segmentation and vulnerability scanning directly — both are technical controls, not paperwork, and both require ongoing IT management to maintain.

Where Most Triad Businesses Actually Fall Short — and the Fines That Follow

The four most common compliance gaps Merit Technology Solutions finds in Triad SMB environments are: no documented risk assessment, unencrypted laptops or removable media, stale user accounts with active credentials, and no tested incident response plan. Each one carries direct regulatory exposure.

HIPAA Penalty Tiers

The HHS Office for Civil Rights (OCR) enforces four penalty tiers ranging from $100 per violation for unknowing violations to $50,000 per violation for willful neglect not corrected, with an annual cap of $1.9 million per violation category. A single undiscovered stale account or one unencrypted laptop found during an OCR investigation can trigger penalties at multiple tiers simultaneously.

PCI DSS Consequences

PCI DSS non-compliance does not produce government fines — it produces card brand fines passed through by the acquiring bank, and in serious cases, loss of the ability to accept card payments entirely. For a retail or service business in Winston-Salem or Greensboro that depends on card revenue, that is an existential outcome. A one-time compliance checklist completed two years ago does not protect you today.

How a Co-Managed or Managed IT Partner Turns Compliance into a Repeatable Process

Compliance is not a project with an end date. HIPAA and PCI DSS require continuous monitoring, documented patch management, periodic access reviews, and audit-ready logs — ongoing work that most office managers and small internal IT teams cannot sustain alongside daily operations.

What Merit Does in a Compliance Context

Merit's co-managed IT services for Triad businesses and managed IT services both include the operational controls that compliance requires: enforcing multi-factor authentication (MFA) across Microsoft 365, maintaining audit-ready access logs, conducting periodic user account reviews, and managing encrypted cloud backup with a BAA-covered vendor.

This is the core contrast with the "we handle the clinical side, IT figures itself out" assumption that is common at small practices and retail shops. Compliance is an IT operations problem — not a legal document filed once and forgotten. A healthcare IT attorney can tell you what the rules say; an IT partner who understands HIPAA and PCI DSS specifics can actually implement and maintain the controls the rules require.

Merit's local presence across Kernersville, Winston-Salem, and Greensboro also matters when a physical safeguard issue — an unlocked server room, a missing workstation cable lock — requires same-day on-site response rather than a remote ticket.

Quick Compliance Checklist: 8 Questions Every Triad Business Owner Should Be Able to Answer

An HHS auditor or PCI Qualified Security Assessor (QSA) will ask questions like these. If you cannot answer yes to all eight with documentation to back it up, you have a compliance gap that needs closing before someone else finds it for you.

  1. Do you have a signed, current BAA with every vendor who accesses PHI — including your MSP, EHR vendor, and cloud backup provider?
  2. Is your most recent HIPAA risk assessment documented, dated, and less than 12 months old?
  3. Are former employee accounts disabled within 24 hours of departure?
  4. Are workstations configured to lock automatically after a defined idle period?
  5. Are laptops and removable media encrypted?
  6. Are card-processing terminals on an isolated network segment, separate from employee workstations?
  7. Have you completed your annual PCI DSS Self-Assessment Questionnaire for the current calendar year?
  8. Do you have a written, tested incident response plan that your staff has actually reviewed?

Frequently Asked Questions

Does HIPAA apply to my small dental practice in Kernersville if I use a cloud-based EHR?

Yes. Any dental practice that creates, stores, or transmits electronic protected health information is a covered entity under HIPAA, regardless of size. Using a cloud-based EHR does not reduce that obligation — it adds a Business Associate Agreement requirement with the EHR vendor and any other platform that touches patient data.

What is PCI DSS and does my business have to comply if I use Square or Stripe?

PCI DSS is the Payment Card Industry Data Security Standard, required of any business that accepts, processes, or transmits card payments. Using Square or Stripe reduces your compliance scope but does not eliminate it. Your network environment, password practices, and how cardholder data flows through your systems are still in scope and subject to PCI DSS requirements.

What happens to a small business in North Carolina if it has a HIPAA breach?

A HIPAA breach triggers mandatory notification to affected individuals, HHS, and potentially local media. The HHS Office for Civil Rights may investigate and impose penalties ranging from $100 to $50,000 per violation, up to $1.9 million per violation category per year. North Carolina's own breach notification law may add additional state-level obligations.

Can a managed IT provider help me pass a PCI DSS Self-Assessment Questionnaire?

A managed IT provider cannot sign the SAQ on your behalf, but Merit Technology Solutions can implement and document the technical controls the SAQ validates — network segmentation, patch management, strong authentication, and vulnerability scanning. Completing an SAQ honestly requires the underlying IT controls to actually be in place; that is where managed IT compliance support matters most.

Photo of Merit Technology Solutions Team

Written by

Merit Technology Solutions Team

Merit Technology Solutions Editorial Team

Merit Technology Solutions (merIT) is a Kernersville, NC-based managed IT and cybersecurity provider serving small and medium-sized businesses in the Piedmont Triad, offering services including proactive IT support, cloud solutions, data backup, and VoIP phone systems.

Not Sure If Your Business Is Actually HIPAA or PCI Compliant? Let's Find Out Together.

In a free 15-minute discovery call, a Merit Technology Solutions advisor will walk through your current setup, identify the specific HIPAA or PCI DSS gaps most common for businesses like yours in the Triad, and explain exactly what it would take to close them.

Schedule Your Free Discovery Call

Contact Us Today To Schedule A 15-Minute Discovery Call

 

Recent Articles

White letter tiles spelling PASSWORD on a red background symbolizing security and login credentials.

What Is Multi-Factor Authentication and Why Every Winston-Salem Business Needs It

 Vintage computer with loading screen showing dollar signs, set against a teal background on a wooden desk.

That ‘Old’ Tech? You’re Still Paying For It Every Month

 Red fire alarm bell with glowing light and warning triangles on textured wall background.

How ‘We’ll Fix It Later’ Turns Into Summer Fire Drills