VanRein Compliance Podcast

Send us Fan Mail AI is already inside your healthcare workflows, your vendors, your phones, and your inbox. The hard part is not getting access to the tools. The hard part is using AI without quietly leaking PHI and waking up to a HIPAA breach you never saw coming. We break down the question most teams ask the wrong way: “Is AI HIPAA compliant?” HIPAA wasn’t written for large language models, but the law still applies, and the responsibility still lands on you. We walk through how AI fits into the HIPAA Privacy Rule (who can access PHI), the HIPAA Security Rule (encryption, access controls, audit logs, and evidence), and the HIPAA Breach Notification Rule (what you must do when something goes wrong). We also talk about why “HIPAA-ready” marketing claims mean nothing without a signed Business Associate Agreement (BAA) and a real vendor risk conversation. Then we get practical: shadow AI, staff copying PHI into chat tools, data leakage through model training defaults, and the basic governance moves that prevent all of it. You’ll hear our recommended AI acceptable use policy structure, how to build an AI inventory and risk register, what an AI risk assessment should evaluate, and why penetration testing and vulnerability scanning matter even more as regulations tighten. If you want to move fast without losing control, subscribe, share this with a teammate who’s rolling out AI, and leave a review. What AI tool is your organization using today, and do you have a BAA for it? Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us Fan Mail We launch new penetration testing and vulnerability scanning services and explain why passing audits still leaves hidden security risk. We lay out a practical testing cadence, how it maps to HIPAA, SOC 2, and ISO, and how proactive validation builds trust with clients before an attacker forces the lesson.  • compliance versus security, why policies do not stop attacks  • why 2026 attackers scan and exploit automatically  • vulnerability scanning as continuous monitoring with risk scoring and remediation tracking  • penetration testing as manual plus automated ethical hacking  • recommended cadence, monthly scans and annual pen tests  • when to retest, major changes and post-remediation validation  • mapping testing evidence to HIPAA risk analysis, SOC 2 controls, ISO 27001 requirements  • third-party reports for security questionnaires and deal credibility  • one-stop delivery to cut coordination time and reduce scrambling  If you go ahead and email us at hello at vanriancompliance.com, and you mention that, hey, Robin Don said I need a free t-shirt, we're gonna send you a free t-shirt. If you like and subscribe, and the more you do that, the better, the better the Van Ryan Compliance podcast can grow and reach more people  Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us Fan Mail Most people say they want a legacy. Then they run their business like it only needs to survive the next quarter. Rob and Dawn come back from the NAEO conference in San Antonio with a clear question for every owner: are you building something that lasts, or something that just pays? We talk about what it looks like when a company actually makes it to 50 years, using Mtelco’s anniversary as a real-world case study. That opens up the bigger conversation around family business, multi-generational ownership, employee retention, and why “relationships over transactions” is not a slogan, it’s a strategy. We also get honest about the grind of small business life: work and life aren’t balanced, they’re woven together, and the only way it works is prioritisation, delegation, and building a team that believes in what you do. Then we bring it back to the risks that can end a legacy fast. Cybersecurity and compliance are no longer optional if you want to stay audit ready and keep customer trust. We break down why incident response plans, disaster recovery planning, vulnerability scanning, and penetration testing matter, plus how AI governance needs guardrails so new tools don’t create new exposure. We close with the often-avoided topic of succession planning: if something happens to you, who runs the business, who calls the attorney, and how does payroll continue? If you got value from this, subscribe, share the show, and leave a review. Are you building for decades or chasing the next deal? Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send a text We break down the largest HIPAA Security Rule update in 15 years and explain what it demands from healthcare, SaaS, and telehealth teams. Clear requirements replace ambiguity with MFA everywhere, stronger encryption, real testing, faster recovery, and rapid partner notices. • why HIPAA must modernize for cloud, AI and telehealth • how ransomware pressure shapes stricter controls • asset and data inventory as the foundation • MFA as a universal, required control • encryption across endpoints, transit and rest • security testing with scans, pen tests and AV • network segmentation to stop lateral movement • incident response tested annually with 72‑hour restore • 24‑hour notification to partners • evidence‑based audits and stricter access management • vendor due diligence and AI governance • timeline to effective and compliance dates • three actions to start now: risk analysis, MFA rollout, vendor inventory Need help with a risk analysis? We can get a report together so you can see your risk and plan forward Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send a text We sit down with ISO auditor David Foreman to demystify ISO 27001, compare it with SOC 2, and unpack what auditors actually look for. We cover real breaches, the limits of compliance tools, the rise of 27701 and 42001, and how to win leadership buy-in. • what an ISO certification body does and how audits work • ISO 27001 governance plus controls vs SOC 2 opinions • readiness and internal audit roles vs external certification • why breaches accelerate third-party assurance demands • scoping strategy and avoiding retrofit pitfalls • platforms as helpers not replacements for ownership • getting executive buy-in with clear pain and outcomes • 27701’s privacy system and 42001’s AI management • sectors driving demand: cloud, finance, healthcare, education, law • partnership approach to deliver readiness and certification Follow Mastermind on LinkedIn and email hello@mastermindassurance.com Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send a text Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send a text We sit down with auditor and risk leader Bennie Cleveland to unpack how to make AI defensible in the real world. We cover governance, healthcare and privacy frameworks, modern attack patterns, and the playbooks that separate confident teams from lucky ones. • defining AI ownership, approvals, data scope, monitoring and explainability • building an AI inventory and supplier risk register • mapping to NIST CSF, HIPAA, GDPR, SEC expectations • deepfakes and social engineering expanding the attack surface • darknet monitoring and proactive exposure checks • running tabletops for ransomware, data loss and web compromise • human in the loop and prompt discipline for high-impact decisions • common audit gaps in IR, BCDR and communications • vendor AI due diligence and data transfer controls • buying fewer tools with clearer purpose and guardrails Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send a text Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text We roll out two new services—tabletop exercises and AI and automation governance—and dig deep into why tabletop drills prove readiness, resilience, and audit defensibility. From foundational policy walk‑throughs to enterprise war rooms, we map maturity levels and show how to turn SOPs into real action. • what auditors expect from tabletop evidence  • foundational awareness, roles and policy validation  • ops drills that test detect, contain and recover  • executive crisis decision‑making and communications  • DR and BCP validation across cloud and on‑prem  • RTO and RPO targets, failover and manual workarounds  • audit defensibility, documentation and remediation plans  • cross‑functional alignment across HR, legal, IT and dev  • threat‑informed scenarios, red and blue team perspectives  • after‑action reports with owners and timelines  • annual cycles that raise difficulty and close gaps “if you got an email from me, there’s also a coupon. so we offer 15% off a tabletop. respond to my email or just reach out to us and we’ll schedule a time”  “for the folks that aren’t clients, there’ll be more details down in the notes… or hello at vanright compliance.com”  “like or subscribe, it gets us into more people’s feeds” Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text We turn a deep freeze into a practical tabletop for households and businesses, building a clear plan for power, internet, people, and customers. From generators and Starlink to MFA bypass and recovery checks, we map decisions that turn chaos into continuity. • prioritizing power layers with generators and UPS • dual‑path internet and cellular failover testing • handling school closures and quiet zones at home • stocking food, water, heat, and plumbing protection • roles, thresholds, and decision points for DR • customer communication across email, web, and phone • physical security, vendor contacts, and property access • MFA backup codes and access overrides • integrity checks and lessons learned after recovery Like and subscribe because the more you like and subscribe, the more folks get to listen to us We can help you here at Van Ryan if you're a current customer or you're just listening and you're like, oh, I want to know more about them. We can help you create business continuity, disaster recovery, instant response plan. And we can also help you kind of formulate a framework for tabletop exercises. That is a line of service that we offer here at Van Ryan Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text We compare NIST AI RMF and ISO 42001, explain why AI audits matter, and share practical steps to build trust with customers, regulators, and insurers. We lay out a simple path: write policies, assess risk, and choose the right level of assurance. • everyday AI use cases and core risks • why audits reveal bias, privacy gaps, and weak training • EU AI Act context and US landscape • NIST AI RMF governance, map, measure, manage • ISO 42001 as a certifiable AI management system • policy and procedure essentials for safe AI use • vendor due diligence and trust centers • competitive advantage through frameworks and certification • stepwise path from policy to assessment to certification Email us at hello@vancompliance.com or drop a question in the comments so we can help you choose the right path and get your AI program audit-ready Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text We draw a hard line between frantic resets and a steady compliance rhythm that proves readiness when it counts. Clear ownership, small cadences, and current evidence cut drama, reduce risk, and build trust with auditors, partners, and customers. • defining readiness as proof not perfection • event-based scrambling versus behavior-based cadence • maturity signals auditors actually trust • named owners and deputies for continuity • weekly to annual review rhythms that stick • avoiding tool creep and demanding real evidence • aligning to HIPAA, SOC 2, ISO, HITRUST and privacy laws • structure and measurement over willpower and heroics Join Rob and Dawn for our “How To Do An AI Audit” webinar this week Like and subscribe to help more people build a compliance rhythm Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text What Our Clients Can Expect From VanRein Compliance in 2026 Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text We explore why vendor oversight is a critical yet often overlooked aspect of compliance programs, examining how third and fourth-party vendors present the greatest risk to your company's data security. Our conversation dives into strategies for building effective vendor management systems that go beyond superficial checkbox activities. • Third and fourth-party vendors create cascading risk levels for your business and customer data • Vendor oversight requires continual relationship maintenance, not just initial vetting • Security certificates like SOC 2 must be verified for currency and validity • Companies frequently fail in vendor management during staff transitions • Documentation is essential: maintain a supplier register with contracts, certifications, and contacts • Track artifact expiration dates for compliance certificates, insurance, and penetration tests • Proper offboarding procedures are crucial when ending vendor relationships • Homework: review your top five vendors, confirm their compliance posture, and document relationships Take these items back to your organization and dive into examining your vendor oversight program. Simple steps like documenting relationships, tracking certifications, and establishing clear escalation paths will significantly strengthen your compliance posture. Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Send us a text The episode emphasizes the importance of maintaining a compliance program as an ongoing effort rather than a one-time task. It covers the evolving nature of regulations, risks of neglecting compliance, implementation best practices, and the critical role of vendor management. • Compliance is an ongoing commitment, not a one-time task  • Regular audits and updated policies are crucial for effectiveness  • Employee training must be continuous to mitigate risks  • Neglecting compliance can result in severe financial and reputational damage  • Vendor management is essential to safeguarding sensitive data  • Technology can aid compliance efforts, but human oversight remains key  • Staying vigilant ensures preparedness for evolving legal requirements Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on X Follow us on Facebook

Unlock the secrets of ISO compliance with us as we sit down with David Forman, a seasoned ISO auditor and the co-founder of Mastermind Assurance. David pulls back the curtain on the unique role of ISO auditors and how their work stands apart from other assurance programs like SOC 2 and HITRUST. With his vast experience, David provides a clear breakdown of ISO standards, particularly focusing on governance requirements and control sections within management systems like ISO 27001. This episode is essential for anyone looking to understand the ISO certification process and its global impact. Explore how data breaches, from the early 2010s to the pandemic era, have fundamentally altered consumer awareness and corporate security practices. David and our hosts delve into major incidents like the Equifax breach, discussing their profound influence on security compliance. We dive deep into the intricacies of SOC 2 and ISO 27001 certifications, highlighting the paths from SOC 2 Type 1 to Type 2 and ISO's Stage 1 to Stage 2 certifications. If you’re curious about how companies can transition between these frameworks to enhance their security credentials, this segment is a must-listen. Navigating multiple compliance frameworks can be a challenging task, but David shares invaluable strategies for making this transition smoother, from HIPAA to ISO 27001 and beyond. The importance of a flexible governance program, stakeholder buy-in, and addressing pain points like GDPR and AI-related risks are all covered in detail. We also touch on emerging standards such as ISO 27701 for privacy management and ISO 42001 for AI management. Don't miss this treasure trove of insights and practical advice for anyone involved in the world of compliance. Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on Twitter Follow us on Facebook

Unlock the mysteries of SOC 2 compliance with  Kate Williams, our expert CPA and certified SOC 2 auditor from Maxwell Locke & Ritter. Kate turns what could be a tedious topic into an accessible and engaging affair. We cover the ins and outs of the SOC 2 framework, its inception, and why tech companies big and small need to sit up and take notice. Kate's unique blend of humor and deep industry knowledge illuminates the audit process and the strategic value of SOC 2 reports, leaving no stone unturned in this critical discussion. The tech landscape is evolving, and with it, the pressures faced by startups to achieve SOC 2 compliance. In a candid conversation with Kate, we dissect the nuances between SOC 1 and SOC 2 audits, and the difference between Type 1 and Type 2 reports. The insights offered go beyond mere compliance; they're about seizing opportunities and navigating the challenges of resource allocation for early-stage companies. This chapter reveals the true value of compliance investments and when it might be wise to challenge the status quo. We wrap up with a deep dive into the darker side of tech – data breaches, their repercussions, and the subtleties of off-boarding processes. By sharing stories of security slip-ups and the importance of structured documentation, Kate emphasizes the need for robust cybersecurity measures. She also clarifies the distinctions between SOC 2 and ISO certifications, ensuring our listeners are armed with the knowledge to protect their companies from becoming another cautionary tale. Tune in for a conversational, yet enlightening session that's anything but a dry lecture on compliance. Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on Twitter Follow us on Facebook

Jen and James Schultz of Answer Midwest join us to share the rhythms of their 30-year marriage, both at home and at the helm of their family-business. Imagine intertwining the threads of romance and entrepreneurship, crafting a tapestry of mutual respect, defined roles, and shared visions. Our guests recount their transition from college sweethearts to business co-pilots, offering listeners a real-life roadmap to blending love with livelihood. We crack open the playbook on maintaining individuality while sharing a common goal, discussing how to preserve personal space amidst a shared professional landscape. Jen and James, along with my own experiences with my spouse Rob, provide insights into setting boundaries and respecting the professional-personal divide. We delve into the nuanced choreography of couple-run businesses, the importance of independence, and the delicate art of not letting shop talk overtake pillow talk. Rounding out our conversation, we celebrate the legacy of Answer Midwest, where family, support, and wisdom intertwine to foster growth and innovation. We applaud the Schultz's for mastering the 'Space and Grace' mantra within their enterprise, and we encourage you, our dear listeners, to draw inspiration from their journey. Join us for a heartening look at the power of partnership in business and life, and perhaps find the spark to ignite your own story of success and togetherness. Thank You for Listening to the VRC Podcast! Visit us at VanRein Compliance You can Book a 15min Call with a Guide Follow us on LinkedIn Follow us on Twitter Follow us on Facebook