Should HIPAA Compliance Be On Your Non-Profit Organization’s Radar?

Over 1.5 million non-profit organizations exist in the United States. An estimated 170,000 of those are in the health-related sector… Many of which don’t realize they’re subject to HIPAA laws.

The National Center for Charitable Statistics estimates that over 170,000 non-profit organizations are operating in the health-related sector in the United States. Many of them aren’t aware that HIPAA compliance should be on their radar. If you’re a non-profit organization operating in the health-related sector, it’s important to be aware that the Department of Health and Human Services could, at some point, audit you. In the simplest terms, you are vulnerable to breaches that could affect patients and clients alike.

Let’s take a step back… What is HIPAA?

HIPAA refers to the Health Insurance Portability and Accountability Act. The law sets the standard for protecting data, known as protected health information or PHI, against unauthorized access. Essentially, all healthcare providers and covered entities must have the right physical, process, and network security measures in place to keep PHI safe from falling into the wrong hands.

So how do you know if you have PHI? Take a look at the information you’re storing about your clients, beneficiaries, and members. If you have the following, then you have PHI on hand:

  • Information about past or present health conditions
  • Information about past, present or future medical treatments
  • Information about past, present or future payment information for care

This data, along with any sort of “identifiers” that could create a correlation between an individual and a treatment, is protected under HIPAA. Identifiers may include names, addresses, medical record numbers, social security numbers, and overall, any information that is personal and private.

If you perform certain activities on behalf of, or provide certain services for, a covered entity involving PHI, you’re likely a business associate.

And as such, you’re directly liable for HIPAA compliance with most provisions. So how can you stay compliant? Here’s a few tips:

  1. Talk with any third-party providers: If you’re working with a database or cloud storage company, make sure you’re talking to them about how they’re keeping your data safe. It’s important to be sure they’re HIPAA compliant themselves.
  2. Restrict access to protected health information: If an employee doesn’t absolutely need access to protected health information to perform the responsibilities associated with their role, they shouldn’t have access.
  3. Set up encryption and two-factor authentication: Wherever possible, encryption and two-factor authentication should be implemented on ALL systems that store, transmit or access protected health information.
  4. Keep detailed records on file access: Every system with electronic health information should have some sort of process or procedure associated with it to track when files are accessed.
  5. Create a plan for responding to breaches: If a breach DOES happen, it’s important to have a plan as responding appropriately can change the level of violation, and ultimately, save you a ton of money in fines.

A violation isn’t always a grand attack that takes you down. Sometimes, it’s a simple email wherein a patient record is sent to the wrong recipient. Let’s talk about HIPAA compliance for non-profit organizations. Call (516) 207-1889 or email us at