Governance

Last Updated: April 15, 2025

Governance is what turns "we have IT" into "we can prove our IT works." It's the documented set of policies, controls, and audit evidence that regulators, insurers, and customers ask for, and the discipline that keeps a small business from ending up on the front page of a breach report.

For organizations in regulated industries, insurance, healthcare, financial services, real estate, property management, governance is the difference between passing an audit and explaining a $9 million breach to a board. This page collects the legal documents and compliance frameworks that govern how MHC Information Services operates and how we help clients operate.

Why Governance Matters

The numbers behind regulated-industry IT make the case more sharply than any sales deck.

  • $4.88 million, global average cost of a data breach in 2024 (IBM / Ponemon Institute, Cost of a Data Breach Report 2024).
  • $9.77 million, average breach cost in the healthcare sector, the highest of any industry for the 14th consecutive year.
  • 68% of breaches involve a non-malicious human element, phishing, lost credentials, misconfiguration (Verizon, 2024 Data Breach Investigations Report).
  • 287 days, median time to identify and contain a breach without an incident response plan; 45 days fewer for organizations that have one documented and tested.
  • >$135 million in cumulative HIPAA settlements collected by the HHS Office for Civil Rights through 2024, with 99% of recent enforcement actions citing missing or inadequate policies and procedures.
  • 95% of payment-card breaches investigated under PCI-DSS forensics are preventable through controls already in the standard.

Governance is the unglamorous, durable layer underneath those numbers. Done right, it costs less than the deductible on a single cyber-insurance claim.

Policies

These documents govern how MHC Information Services collects, processes, and protects information when you visit our website or engage our services.

Compliance Frameworks

We design controls around the frameworks our clients are accountable to. These pages explain how we approach each one in practice, not the marketing version, the audit-ready version.

  • HIPAA, Security Rule, Privacy Rule, Breach Notification Rule for covered entities and business associates handling Protected Health Information.
  • PCI-DSS, payment-card data protection for any business that stores, processes, or transmits cardholder data.
  • Security Practices, the technical and operational controls that underpin both frameworks plus NIST CSF, CIS Controls, and SOC 2 readiness.

Frequently Asked Questions

Which compliance frameworks do you support?

HIPAA, PCI-DSS, GDPR (via the DPA), NIST Cybersecurity Framework, NIST SP 800-171, CIS Controls v8, and SOC 2 readiness. We don't issue audit reports, that's the role of an independent auditor, but we build and document the controls that pass them.

Do you provide written policies and procedures?

Yes. Engagements that include compliance scope ship with the policy and procedure documents auditors expect to see: information security policy, access control policy, incident response plan, risk assessment, business associate agreements (for HIPAA), system security plan, and the procedures that operationalize each.

What is the difference between compliance and security?

Compliance proves to a regulator or auditor that you implemented the controls a framework requires. Security is whether those controls actually stop attackers. The two overlap heavily but aren't identical, being compliant doesn't make you secure, and being secure doesn't automatically make you compliant. We aim for both, with compliance documentation serving as the audit trail for genuinely effective controls.

How often should we review our policies and controls?

Annually at minimum. Most frameworks require it. We recommend a quarterly controls review, an annual full risk assessment, and ad-hoc reviews after any significant change, a new system, a new vendor, a merger, a new regulation, or a security incident.

What happens during a HIPAA or PCI-DSS audit with you in place?

The auditor asks for evidence; we hand them the documentation, logs, and test artifacts that demonstrate each control. Because the documentation is maintained continuously rather than scrambled together at audit time, our clients typically complete audits in days rather than weeks and with materially fewer findings.

Can you help if we've already had an incident?

Yes. We support incident response, regulatory notification timelines (HIPAA 60-day rule, state breach-notification statutes, GDPR 72-hour rule), and post-incident remediation. Speed matters in those windows; have the relationship in place before you need it.

For a deeper conversation about applying these frameworks to your business, get in touch.