(773) 417-9994Free consultation
← Back to blog
complianceHIPAAPCIchicago

IT Compliance for Chicago Small Businesses: What You Actually Need

HIPAA, PCI-DSS, SOC 2, FTC Safeguards. If you run a small business in Chicago, at least one of these applies to you. Here's what matters and what doesn't.

Darius J Davis · April 27, 2026

Compliance is not a dirty word.

I know. The second someone says "compliance," your eyes glaze over. You picture binders, auditors, and a six-figure consulting bill. You think it's something that happens to big companies. Something for later. Something you'll deal with when you "get bigger."

Here's the thing: compliance already applies to you. Right now. Today. And the penalties for ignoring it are real.

If you accept credit cards, you're subject to PCI-DSS. If you handle patient data, HIPAA applies. If you collect consumer financial data, FTC Safeguards Rule. If you work with student records, FERPA. If you bid on government contracts (and you should), you might need CMMC.

The good news: for a small business, compliance isn't the monster it looks like. Most of it is just good security hygiene organized into a framework. The stuff you should be doing anyway, documented in a way that proves you're doing it.

Which one applies to you?

HIPAA (Healthcare)

Who: Medical practices, dental offices, therapy practices, chiropractors, pharmacies, medical billing companies, and anyone who handles Protected Health Information (PHI) as a Business Associate.

What it requires: Risk assessments, access controls, encryption, staff training, Business Associate Agreements with every vendor who touches patient data, breach notification procedures.

The penalty for getting it wrong: Fines from $100 to $50,000 per violation, up to $1.5 million per year for repeat violations. Plus the OCR investigation. Plus the public breach notification. Plus the patient trust you'll never get back.

What most small practices get wrong: Assuming your EHR vendor handles compliance for you. They don't. They handle their compliance. Your compliance is your responsibility. When's the last time your staff had documented HIPAA training? If you can't show documentation, it didn't happen as far as an auditor is concerned.

PCI-DSS (Payment Processing)

Who: Every business that accepts, processes, stores, or transmits credit card data. Restaurants, retail, e-commerce, professional services that invoice via card. If you swipe, tap, or type a card number, this is you.

What it requires: For most small merchants (SAQ-A or SAQ-A-EP), it's a self-assessment questionnaire. Secure your payment environment, don't store card data you don't need, use strong passwords, keep systems patched, restrict access, train your staff.

The penalty for getting it wrong: Fines up to $500,000 from the card brands. Payment processor termination. Inability to accept credit cards. For a restaurant or retail store, that's a death sentence.

What most small businesses get wrong: Signing the SAQ without actually reading it. Your payment processor sends you a form, you check the boxes, you move on. But if a breach happens and you can't demonstrate that those controls were actually in place, the liability falls on you.

FTC Safeguards Rule (Financial Data)

Who: Non-banking financial institutions. CPA firms, tax preparers, insurance agencies, mortgage brokers, auto dealers, financial planners. Broader than most people think.

What it requires: A written information security program, a designated qualified individual overseeing it, risk assessments, access controls, encryption, multi-factor authentication, employee training, incident response plan, vendor oversight.

The penalty: FTC enforcement actions, injunctions, consent orders, public disclosure. The FTC updated this rule in 2023 with much more specific technical requirements. If you haven't reviewed your security program since then, you're behind.

SOC 2 (SaaS / Service Providers)

Who: Companies that store or process client data in the cloud. SaaS companies, managed service providers, data processors, anyone whose clients ask "how do you protect our data?"

What it requires: A Type II audit by a CPA firm demonstrating that your security controls are designed properly (Type I) and operating effectively over a period of time (Type II).

Why it matters for small businesses: Increasingly, enterprise clients won't work with vendors who don't have SOC 2. If you're selling B2B services, this is becoming table stakes for landing larger contracts.

Image suggestion: A clean infographic-style grid showing four compliance frameworks (HIPAA, PCI, FTC, SOC 2) with icons and who they apply to. Prompt: "Clean dark infographic showing four cybersecurity compliance frameworks in a 2x2 grid, each with a simple icon: HIPAA with medical cross, PCI-DSS with credit card, FTC with shield, SOC 2 with cloud lock, dark navy background with cyan accents, minimal professional style, no text except framework names"

The compliance myth that costs small businesses money.

"Compliance is too expensive for us."

I hear this all the time. And I get why people think it. They've seen the Big Four consulting firms charge six and seven figures for compliance programs at large enterprises. They assume that's the only way it gets done.

It's not.

For a 15-person medical practice, HIPAA compliance is not a million-dollar project. It's a risk assessment, documented policies, staff training, some technical controls (most of which you should already have), and ongoing monitoring. We're talking thousands, not hundreds of thousands.

For a restaurant that needs PCI compliance, the SAQ self-assessment takes about an hour with someone who knows what they're doing. The technical controls (segmented networks, strong passwords, patched systems, trained staff) are things that protect your business regardless of compliance.

Compliance frameworks don't make you do unnecessary things. They make you do the things you should already be doing, and document that you're doing them. The documentation is the part most small businesses skip. And the documentation is the part that saves you when something goes wrong.

How we approach it.

We don't sell compliance as a product. We don't hand you a binder and disappear.

We start with where you are right now. What data do you handle? What regulations apply? What controls do you already have in place? What's missing?

Then we build a plan that's sized for your business. Not an enterprise framework shoved into a small business. A practical, maintainable program that your team can actually follow.

We handle:

  • Risk assessments documented to the standard your regulation requires
  • Policy development that reflects how your business actually operates
  • Technical controls implementation (encryption, access controls, MFA, monitoring)
  • Staff training tailored to your compliance requirements and your industry's actual threats
  • Ongoing support for audits, incidents, and annual reviews

The training piece is where we really differ. Compliance training doesn't have to be a box-checking exercise. We make it relevant to your people's daily work. A billing clerk at a medical practice gets HIPAA training that covers the specific scenarios they encounter. A cashier at a restaurant gets PCI training that's about their actual POS system. Practical. Specific. Memorable.

And the skills they learn at work protect them at home too. That's the part we're most proud of.

Start with the free assessment.

If you're not sure which compliance framework applies to your business, or you know it applies but you're not sure where you stand, that's the perfect starting point for a conversation.

30 minutes. Free. No pitch.

(773) 417-9994 or southsidechisolutions.com

Share this article
LinkedInX / TwitterEmail

Ready to secure your business?

Free 30-minute consultation. No sales script.

Call (773) 417-9994