Originally published March 23, 2026 · Updated March 24, 2026

What compliance requirements apply to your business — and what happens if you’re not ready?

If you run a business in Indiana that handles patient records, processes credit cards, or works anywhere in the defense supply chain, 2026 is a year you can’t afford to ignore compliance.

Three major regulatory frameworks are tightening simultaneously: HIPAA is getting its first major security overhaul in 13 years, PCI DSS 4.0 requirements are now fully enforced, and CMMC 2.0 certification starts appearing in Department of Defense contracts this November. Each one carries real financial consequences for businesses that aren’t prepared.

The challenge for most small and mid-sized businesses isn’t understanding that compliance matters — it’s knowing which regulations actually apply to them, what’s changed recently, and what concrete steps they need to take. This guide breaks down all three frameworks in plain language, explains what’s new in 2026, and helps you figure out where your business stands.

HIPAA in 2026: The Biggest Security Rule Update in 13 Years

If your business touches protected health information (PHI) in any way — whether you’re a healthcare provider, a dental practice, a billing company, or even an IT vendor that supports healthcare clients — HIPAA applies to you. And the rules are about to change significantly.

What’s Changing

The U.S. Department of Health and Human Services proposed major updates to the HIPAA Security Rule in late 2025, with finalization expected by May 2026. This is the first substantial revision since 2013, and it shifts HIPAA from a flexible, self-directed framework to one with measurable, enforceable standards.

Key changes include:

• No more “addressable” safeguards. Previously, organizations could decide certain security measures were unnecessary for their situation. Under the new rules, most safeguards — including multi-factor authentication (MFA) and encryption — become mandatory requirements.
• Annual compliance audits are required. Covered entities and business associates must formally test and verify all administrative, physical, and technical safeguards every 12 months.
• Vulnerability scans every six months. Technical testing moves from “recommended” to required, with penetration testing required annually.
• Network segmentation is mandatory. Systems containing electronic PHI (ePHI) must be isolated from general business networks.
• Incident response plans must be tested annually. Written plans alone no longer satisfy the requirement — you must document, implement, and test them.
• Access revocation within one hour of employee termination.

What This Means for Indiana Businesses

Fort Wayne and Northeast Indiana have a significant healthcare ecosystem — from large hospital systems to small practices, dental offices, home health agencies, and the billing and IT companies that support them. If you’re a business associate (BA) providing IT services, cloud hosting, or software to any healthcare organization, these rules apply to you too.

The 240-day compliance window after finalization means businesses need to be preparing now, not waiting for the final rule.

The Cost of Getting It Wrong

HIPAA violation penalties in 2026 range from $145 to $2,190,294 per violation, with an annual cap that can reach into the millions. Criminal penalties for willful violations can include fines up to $250,000 and imprisonment up to 10 years. And those are just the regulatory penalties — the average cost of a healthcare data breach reached $10.93 million in 2025, according to IBM’s Cost of a Data Breach Report.

Small healthcare practices often assume they’re too small to be targeted or too small for OCR to notice. Neither is true. HHS has settled cases with organizations of all sizes, and attackers specifically target smaller practices because they typically have weaker security controls.

PCI DSS 4.0: Already Mandatory, Still Catching Businesses Off Guard

If your business processes, stores, or transmits credit card data — even if it’s just a single payment terminal — PCI DSS applies. Version 4.0 became fully mandatory in March 2025, but many small businesses still haven’t caught up with the changes.

What’s Different from PCI DSS 3.2.1

PCI DSS 4.0 introduced several significant changes that affect businesses of all sizes:

• MFA required for all access to cardholder data environments — not just remote access. If an employee walks up to a terminal that can access card data, MFA is required.
• Stronger password requirements. Minimum 12 characters (up from 7), and password/passphrase complexity requirements apply universally.
• Targeted risk analysis. Instead of one-size-fits-all rules, businesses must document why their specific security controls are appropriate for their risk level.
• Updated Self-Assessment Questionnaires (SAQs). The forms themselves have changed — if you’re still using 3.2.1 questionnaires, your assessment isn’t valid.
• Anti-phishing mechanisms required. Technical controls (not just training) must be in place to detect and protect against phishing.
• Automated log review. Manual log review is no longer sufficient — automated mechanisms must flag anomalies.

Who in Indiana Needs to Care

Every retail store, restaurant, medical practice, professional service firm, and e-commerce business that accepts credit cards. That’s most businesses in Fort Wayne and across Indiana.

The common misconception is that small businesses processing under 20,000 e-commerce transactions (Level 4 merchants) face lighter requirements. The security requirements are the same — only the validation method differs. You still need to implement the controls; you just complete a Self-Assessment Questionnaire instead of hiring a Qualified Security Assessor.

Common Gaps We See

After nearly two decades of supporting Indiana and San Diego businesses, these are the PCI compliance issues we encounter most often:

1. No network segmentation. The POS system sits on the same network as everything else.
2. Default passwords still in use on payment terminals and routers.
3. No MFA on systems that can access cardholder data.
4. Outdated firmware on payment terminals that no longer receives security patches.
5. No documented incident response plan specific to payment card breaches.

CMMC 2.0: Why Fort Wayne Businesses Should Pay Attention Now

If your business has any connection to the Department of Defense supply chain — even indirectly — the Cybersecurity Maturity Model Certification (CMMC) 2.0 is about to become your most important compliance requirement.

Why This Matters Locally

Fort Wayne isn’t just any mid-sized city when it comes to defense. Northeast Indiana is home to BAE Systems, Raytheon Technologies, L3Harris Technologies, and General Dynamics Mission Systems, which collectively employ over 2,000 people locally. But the real impact of CMMC extends far beyond these prime contractors.

The defense supply chain includes hundreds of smaller manufacturers, machine shops, engineering firms, and service providers throughout Northeast Indiana. The Northeast Indiana Defense Industry Association (NIDIA) exists specifically because of this ecosystem. Companies like Absolute Machining, Portland Forge, and dozens of others supply components and services to defense programs.

Starting November 10, 2026, CMMC Level 2 certification requirements will be added to applicable DoD contracts. If your business handles Controlled Unclassified Information (CUI) — which includes most technical drawings, specifications, and project data from defense clients — you’ll need certification to bid on or maintain those contracts.

The Three CMMC Levels

• Level 1 (Self-Assessment): 15 basic cybersecurity practices. For businesses that handle only Federal Contract Information (FCI), not CUI. Annual self-assessment.
• Level 2 (Third-Party Assessment): 110 controls aligned with NIST SP 800-171. Required for businesses handling CUI. Must be assessed by a CMMC Third Party Assessor Organization (C3PAO).
• Level 3 (Government Assessment): Advanced controls for the most sensitive programs. Government-led assessment.

What Small Suppliers Get Wrong

Many small manufacturers and suppliers assume CMMC doesn’t apply to them because they “just make parts.” But if your defense client shares technical data, specifications, or design files with you — that’s likely CUI, and Level 2 applies.

The 110 controls in Level 2 cover everything from access control and audit logging to incident response and system maintenance. For a small machine shop that’s never had a formal IT security program, this can feel overwhelming. But the alternative — losing defense contracts — is worse.

Which Regulations Apply to Your Business?

Here’s a quick guide:

HIPAA applies if you:

• Provide healthcare services (medical, dental, mental health, home health)
• Process medical billing or claims
• Provide IT services to healthcare organizations
• Store or transmit patient health information for any reason
• Operate a health plan or wellness program

PCI DSS applies if you:

• Accept credit or debit card payments (in-store, online, or by phone)
• Store cardholder data in any system
• Process or transmit payment card information
• Provide payment processing services to other businesses

CMMC applies if you:

• Hold a Department of Defense contract or subcontract
• Supply products or services to a defense prime contractor
• Receive technical data, specifications, or CUI from a defense client
• Bid on federal defense contracts

Many businesses fall under multiple frameworks. A healthcare practice that accepts credit cards needs both HIPAA and PCI DSS compliance. A manufacturer that makes parts for defense clients and processes card payments needs CMMC and PCI DSS. The good news: there’s significant overlap in the security controls these frameworks require.

The Compliance-Ready IT Checklist

Regardless of which regulations apply to your business, the foundational IT security controls are remarkably similar. Here’s what compliance-ready IT looks like:

1. Multi-Factor Authentication (MFA) — Everywhere

All three frameworks now require MFA. Not just for VPN access — for email, cloud applications, payment systems, and any system containing regulated data.

2. Encryption at Rest and in Transit

Patient records, cardholder data, and CUI all require encryption both when stored and when transmitted. This includes email, file transfers, and database storage.

3. Network Segmentation

Regulated data should live on isolated network segments with controlled access points. Your POS system, EHR system, and CUI storage should not share a network with the break room Wi-Fi.

4. Continuous Monitoring and Logging

Automated log collection, anomaly detection, and regular review. HIPAA requires vulnerability scans every six months and annual penetration testing. PCI DSS requires automated log review. CMMC requires audit logging of all access to CUI.

5. Documented Incident Response Plan

Not a template you downloaded and filed away — a tested, rehearsed plan with assigned roles, communication procedures, and recovery steps. All three frameworks require this.

6. Employee Training

Security awareness training that covers phishing, social engineering, data handling, and framework-specific requirements. Annual at minimum, with phishing simulations.

7. Vendor and Access Management

Formal processes for granting and revoking access, reviewing vendor security, and maintaining business associate agreements (HIPAA) or supply chain security documentation (CMMC).

Five Questions to Ask Your IT Provider

If you’re working with a managed IT services provider, these questions will tell you whether they’re equipped to help with compliance:

1. “Which compliance frameworks do you have experience supporting?” A generic “yes, we do compliance” isn’t enough. Ask for specifics — HIPAA, PCI DSS, CMMC, and which clients they’ve helped through audits.
2. “How do you handle compliance documentation?” Compliance isn’t just about having the right technology — it’s about proving you have it. Ask about policy templates, audit evidence collection, and documentation management.
3. “What does your security monitoring include?” Look for 24/7 endpoint detection, log aggregation, vulnerability scanning, and automated alerting — not just antivirus and a firewall.
4. “Can you support a CMMC assessment?” If you’re in the defense supply chain, you need an IT partner who understands NIST SP 800-171 controls and can help you prepare for a C3PAO assessment.
5. “What happens when a breach occurs?” Ask about incident response capabilities, forensics, breach notification support, and experience coordinating with regulators.

The Real Cost of Compliance (and Non-Compliance)

Compliance isn’t cheap, but non-compliance is far more expensive:

• HIPAA violation: Up to $2.19 million per violation category, per year. Plus breach notification costs, legal fees, and reputational damage.
• PCI DSS non-compliance: Fines of $5,000 to $100,000 per month from payment processors, plus liability for fraud losses, forensic investigation costs, and potential loss of the ability to accept card payments.
• CMMC failure: Loss of DoD contracts. For a Fort Wayne manufacturer whose defense work represents 40-60% of revenue, this isn’t a fine — it’s an existential threat.

The cost of getting compliant with proper IT support typically ranges from $500 to $3,000 per month for small businesses, depending on complexity and which frameworks apply. Compare that to the alternatives, and compliance is the clear investment.

How SDTEK Helps Indiana Businesses Stay Compliant

At SDTEK, we’ve been helping businesses navigate IT compliance for nearly two decades. Our approach to compliance support includes:

• Compliance gap assessments to identify exactly where you stand and what needs to change
• secureTEK™ cybersecurity services built around the controls that HIPAA, PCI DSS, and CMMC all require
• 24/7 monitoring and threat detection through managed EDR, vulnerability scanning, and automated alerting
• Documentation and audit preparation so you’re not scrambling when an assessor or auditor arrives
• Ongoing compliance management because compliance isn’t a one-time project — it’s continuous

Whether you’re a healthcare practice preparing for the new HIPAA Security Rule, a retailer catching up on PCI DSS 4.0, or a manufacturer facing your first CMMC assessment, we can help you build a security program that satisfies your compliance requirements while actually protecting your business.

Ready to find out where your business stands? Contact SDTEK for a compliance gap assessment, or learn more about our cybersecurity services, managed IT support, and local IT services in Fort Wayne and San Diego.