HIPAA for Nonprofits: 5 Things to Know

two doctors discussing with an ipad on the table

Digital health records have revolutionized patient care. It’s possible for patients to get care from their smartphones, all thanks to the digitization of their data. While these innovations improve the patient experience, they also open patients and providers up to security issues. 

In a world where healthcare information is so accessible, it’s important to protect it at every turn. Created in 1996, the Health Insurance Portability and Accountability Act (HIPAA) does just that. 

HIPAA has standardized healthcare data security, requiring any organization that touches patient data to protect it—or risk severe penalties. HIPAA violations range from $100 per violation to upward of $50,000 per violation, with the potential for 10 years of jail time. 

While it’s easy to assume that healthcare providers should follow HIPAA, the requirements aren’t as clear for business associates, especially in the nonprofit space. Learn how HIPAA policies work for nonprofits, as well as five ways you can stay HIPAA compliant. 

Does HIPAA Apply to Nonprofit Organizations?

HIPAA requires organizations to protect personal health information (PHI). This includes data on health conditions, current or future treatment options, and payment information. 

HIPAA also prohibits organizations from sharing any data that could personally identify a patient, including: 

  • Name
  • Address
  • Date of birth
  • Dates of treatments
  • Phone number
  • Email
  • Social Security number
  • Insurance information
  • Driver’s license
  • IP address
  • Photos
  • Fingerprints


In short, if an organization processes PHI in any way, it must comply with HIPAA. 

This obviously includes covered entities like healthcare providers, insurance companies, and healthcare clearinghouses. But it also applies to any business associates of these organizations, too. 

Even if your nonprofit doesn’t provide care directly, it is still required to follow HIPAA if it handles PHI in any way. For example, if your nonprofit processes patient credit card information, it needs to follow HIPAA regulations. 

What Does It Mean to Be HIPAA Compliant as a Nonprofit?

HIPAA requires any nonprofit that handles PHI to take reasonable security measures with their physical security, network, and procedures to protect patient data. 

HIPAA is made up of three components that organizations need to comply with: 

  • The Privacy Rule: This rule restricts who in your organization can access PHI. It requires organizations to keep PHI confidential and limit its access on a need-to-know basis only. 
  • The Security Rule: HIPAA requires administrative, technical, and security protections for any organization that touches PHI. 
  • HITECH: The Health Information Technology for Economic and Clinical Health Act extended HIPAA to be more compatible with modern technology. It also increased the severity of HIPAA fines for non-compliance. 


Not sure what these regulations mean for your nonprofit organization? Ensure your organization follows these five best practices to stay HIPAA compliant. 

1. Document and share HIPAA policies

Your organization must document and share all internal HIPAA policies among your staff. Your employees are also required to sign these HIPAA policies, acknowledging that they received them. This is essential for passing a HIPAA audit, so make sure you save these documents for several years.

2. Secure PHI 

Is your organization keeping PHI secure enough? It’s a HIPAA violation if hackers manage to gain unauthorized access to this data. That’s why it’s so critical to secure data and cloud applications. While the cloud makes data more available, it opens your organization up to cyberattacks. 

Ensure that you’re using best practices like encryption, which turns patient data into gibberish without an encryption key, making it useless to attackers. Your employees should also be trained on how to keep PHI secure, which means knowing they shouldn’t send emails containing patient information, for example. 

3. Enable access control

Nonprofits are often small and forced to operate lean. However, that doesn’t mean every employee needs unfettered access to patient data. HIPAA requires nonprofits to have access control in place.

This means: 

  • Every staff member needs to use their own account to access your network. Shared accounts aren’t allowed.
  • Every account needs a unique username and password. 
  • You must install locks on paper files and server rooms.
  • Restricting access to PHI strictly on a need-to-know basis. 

4. Track activity and access

HIPAA auditors will ask to see your activity logs, so it’s a good idea to track how your team interacts with PHI. Document who is accessing the PHI and how they’re using it. Over time, you can use this data to pinpoint any anomalies that could be an undetected breach.

5. Document a breach remediation plan

Breaches happen, especially with healthcare data. While nonprofits should do everything they can to minimize breaches, it’s good to have a plan in place for how your organization should handle cyberattacks. 

Create situational plans based on how severe the breach is. For example, you need separate plans for accidental employee breaches versus more serious breaches that come from hacks. 

How Can Dice Help? 

Nonprofits must comply with HIPAA if they process any healthcare information. The purpose of HIPAA isn’t to impose undue hardships on your organization, but to protect patients and prevent the irreparable damage that comes from cyberattacks. 

Understand how your nonprofit must comply with HIPAA. Following these five requirements is a good start, but every organization is different and may need to follow additional guidelines. 

HIPAA compliance can feel overwhelming, especially for small nonprofits. If your organization needs to comply with HIPAA but isn’t sure where to start, we’re here to help. See how Dice Communications helps nonprofits streamline HIPAA compliance.