By asking a few simple questions, an SMB can determine if it is meeting some of the basic compliance elements; identify compliance areas that it needs to address; and establish a starting point for action.
Do you know what will happen to your business operations if parts of your networks or systems fail?
Are your systems and networks protected against viruses and other malware?
Do you have ways to authenticate everyone who accesses your information systems and data?
Can you monitor how your I.T. network is used and by whom?
Do you have the means to track security incidents?
Is your data tamper-proof?
Is your key data backed up off-site?
Have you protected "unstructured" data -- that is, the e-mails, spreadsheets, and other documents on your employees' desktop systems?
Do you have companywide e-mail archiving capability?
How long does your data need to be archived and how quickly must you be able to retrieve it?
Can you show/prove that you are in compliance?
Now, I am an IT guy, and the solutions that come to mind when I am asked about compliance tend to be fairly technological in nature. But I also spend a lot of time speaking to various groups about HIPAA compliance, and most questions I am asked involve more Social Engineering than Computer Science.
As I constantly am nagging about, you must build your systems so that they are as close to transparent to the user as possible. Make a backbone of compliance out of technical solutions, but flesh it out in a pleasing, user friendly fashion.