Nonprofit Organizations and HIPAA

Should Your Non-Profit Organization Be Concerned About HIPAA Compliance?

Do you collect, store, or access electronic protected health information at all? If so, the answer is a resounding YES…

An estimated 170,000 non-profit organizations are operating in the health-related sector throughout the US. Many of them aren’t aware that HIPAA compliance does, in fact, apply to them, as long as they’re collecting, storing or accessing electronic protected health information. HIPAA, which refers to the Health Insurance Portability and Accountability Act, was enacted in 1996 to protect the confidentiality and integrity of patient data. Although it’s easy to assume HIPAA affects healthcare providers alone, this isn’t the case.

Nonprofit and HIPAA

What is HIPAA and how does it work?

HIPAA sets the standard for protecting patient data, also known as protected health information or PHI, against unauthorized or unlawful access. Essentially, health information can’t be provided to or seen by anyone without the individual’s consent. This includes anything related to medical records, conversations, or billing information regarding medical treatment. In addition, those with access to health information must alert patients when the information is shared or used.

If you’re storing, accessing or using health information relating to your clients, members, or beneficiaries, you must comply with HIPAA. This health information may be regarding:

Health conditions
Medical treatments
Payment information

This information, along with any “identifiers” that could create a correlation between an individual and their respected health information, is protected under HIPAA.

Who must comply with HIPAA?

Anyone who falls into one of two broad categories: covered entities (healthcare providers, plans or clearinghouses) and business associates (any third parties who have access to protected health information). Essentially, many non-profit organizations fall under the “business associate” category as they perform activities on behalf of or provide services for a covered entity.

HIPAA contains many different categories that govern the protection of patient information, including the following:

The Privacy Rule: Governs who has access to protected health information to ensure the confidentiality, privacy, availability, and integrity of that data.
The Security Rule: Outlines a series of technical, physical, and administrative security procedures to assure the safety of protected health information.
HITECH: Defines and enforces proper interaction with electronic protected health information, as well as increases the liabilities and potential fines for misuse.

It’s vital to take the right precautions to keep electronic protected health information safe from unauthorized access. This may include simple measures, such as:

Encrypting emails that may contain sensitive information
Using passwords to restrict access to systems containing sensitive information
Keeping monitors turned away from others while accessing sensitive information
Avoiding any sort of faxing and/or otherwise unsafe way of sending sensitive information
Logging off any systems that contain sensitive information prior to stepping away
Setting up two-factor authentication for systems containing sensitive information

Although the simple measures above may seem straight-forward, they go a long way to help ensure you’re compliant with HIPAA. You should also talk with your technology partner about the following:

Scheduling a HIPAA risk assessment wherein they perform a thorough, in-depth assessment of your environment to identify any vulnerabilities and/or weak points.
Creating a plan for responding to breaches so you’re prepared to respond appropriately depending on the level of violation.

A violation isn’t always a massive cyber-attack. Sometimes, a violation is as simple as an employee leaving a laptop in a coffee shop that contains electronic protected health information. Let’s talk about HIPAA compliance for non-profit organizations. Call (516) 207-1889 or email us at info@networkoutsource.com.