April 15 is a daunting deadline for millions of Americans. But this year, the day before Tax Day might be even more stressful for thousands of small and midsize businesses.

April 14 is the privacy standards compliance deadline for many small employers under the Health Insurance Portability and Accountability Act (HIPAA). Under the law, companies must take specific measures to guard the privacy of medical information. This includes providing a uniform level of protection for physical storage, maintenance, transmission and access to individual health information.

HIPAA affects organizations that store or transmit “individually identifiable health information.” This covers any SMB that administers a self-insured health plan providing medical, dental, vision, employee assistance and health flexible-spending accounts, but exempts some firms that administer plans to fewer than 50 people. Other exemptions include disability coverage, workers compensation and accident-only coverage.

Non-compliance could result in stiff penalties: $100 to $25,000 per person, per violation. And if health information is used for commercial gains, criminal penalties kick in: $50,000 to $250,000 in fines and 1 to 10 years in prison.

To comply with HIPPA privacy and security standards, you need to develop and maintain a complete security solution. But a side benefit is that it will also protect your company’s intellectual property. Follow our six-step process:

1. Perform a risk analysis. Identify specific physical and digital assets of value, including buildings, systems and information. Then consider the internal and external threats to these assets, such as hackers, employees, fire, loss of power, etc. Finally, analyze how well-protected the assets are today and what improvements should be made.

2. Create a security policy. Establish clear guidelines for safe computing in your workplace. They should include an acceptable use policy; security guidelines aimed at preventing viruses and hackers; and guidelines determining which employees can access specific documents and systems. Some templates and examples of security policy can be found at the SANS Institute.

3. Implement proactive security measures. These should be both virtual and physical and include: installation of software tools such as a firewall, virus protection, user authentication, spam filtering and virtual private networks; installation of locks on rooms that hold servers and phone systems; implementation of employee ID and visitor-tracking procedures to prevent unauthorized access to restricted areas