Compliance and Custom Software

Compliance. That word strikes almost as much fear and discomfort as “taxes” does. But it’s just as important to the survival of your business. And, depending on your industry, your custom software may have as many compliance requirements as the business itself. So, let’s take a look at compliance, for both the business and your software, and how the two work together.

Business Compliance

According to the Small Business Administration (SBA), there are three key areas of compliance for a small business:

• Internal Requirements: Keep good records, depending on your business structure (LLC, Corporation, Partnership, etc.)
• State and Federal Filings: Annual reports and taxes.
• Licenses, Permits, and Certifications

In addition to those, there are industry-specific areas of compliance, most commonly in health care (HIPAA) and finance.

Custom Software Compliance

There is an overlap in custom software compliance and IT compliance. In both cases, you’re mostly looking at data privacy. If you are storing sensitive, personal data, then using encryption is vital to staying compliant.

Another significant area of software compliance is the Payment Card Industry (PCI) requirements. For PCI compliance, accepting credit cards and online payments, those cards can't touch your server - you have to use a third-party and tokenize the card or use some other method of storing payment data. Nearly all major merchant gateways implement this now, which saves on having to go through the compliance process yourself.

Finally, HIPAA requires secure transit (HTTPS/SSL) and controlling the chain of custody for data (authentication/authorization). HIPAA requirements for custom software include:

• Access Control. Only authorized users may access protected health information.
• Audit Controls. Provide ability to access and examine data covered by HIPAA.
• Integrity Controls. Stored data and records must not be altered or destroyed.
• Transmission Security. Prevent unauthorized access to data and records during transmission over a network.

While those are the strict HIPAA requirements, it is a good idea to maintain a similar data security plan for your software as well, even if you’re not in the health or financial industries. Consider the above requirements when it comes to your user access, data, reporting, and shared (transmission) information. Third-party integrations are going to be the biggest hurdle for any compliance requirements.

Other considerations to make for your software include:

• Documentation and Training: Your entire team needs to be up on compliance and security. You need to have updated documentation on both your procedures and your software.
• Recovery Tools: If something ends up going wrong, you’ll need to recover quickly. This means both data and communications with your customers -- alerting them as to the problem, the damage, and the remedy.
• Secure Storage: You’ll want backups of your data, but those need to be stored in a secure area. You also need to have these organized for compliance audits.
• Security: A repeat from above, but you want to make sure that sensitive data is secured and encrypted, that only authorized users have access.

Combining the Two: Business + Software Compliance

Custom software can help your business stay compliant. Whether you’re dealing with HIPAA compliance or regular tax and documentation compliance, your software should be working with you to ensure you stay out of trouble. With Sol Minion Development, you’ll be working with a US-based company -- no outsourcing overseas -- which allows us to provide HIPAA-compliant software development services. Additionally, you might consider certified compliance. That is a significant cost above and beyond the software project, but it can provide a safety net should your company ever fall under audit scrutiny.

If you have questions about software compliance, contact us now for answers.