There are more than 1.5 million nonprofit organizations in the United States. Of those, the National Center for Charitable Statistics estimates that over 170,000 are in the health related sector. Many of these health services nonprofits are currently unaware that HIPAA laws apply to them. This leaves nonprofits vulnerable to not only audits from the Department of Health and Human Services but to actual breaches of data that will affect your patients and clients.

The Office of Civil Rights (OCR) will not hesitate to levy a fine on a nonprofit if a data breach were to occur. And the risk of data breach is high. A stolen laptop or mobile device can easily contain hundreds of patient medical records. And the fine can be as high as $50,000 per medical record breached.

There is a simple litmus test to decide if HIPAA laws apply to your nonprofit. Do you store any of the following information for your patients, clients, members, or benificiaries?

If any of the above data is stored with any of the following unique identifiers, your nonprofit must be HIPAA compliant. There are 18 traits that HIPAA looks for to identify someone:

It is rare that an organization would have health data on individuals without personally identifying those individuals. An example would be an organization that does research on the effects of a certain disease on the population of the United States. If the data was sanitized of any personal identifiers, and only showed effects on the general population in aggregate, HIPAA laws would not apply. But this is a narrow subset of data. Most data does include at least one or two personal identifiers.

So what should a nonprofit who stores health information do? HIPAA compliance is a very broad set of rules that range from administrative responsibilities and privacy training to IT related security. There are hundreds of things to check during a security audit and many small organizations don’t know where to start. Don’t let yourself become overwhelmed. With some help, a nonprofit can go from non-compliant to fully compliant in as little as 30 to 60 days. The first step is to perform a HIPAA risk assessment. This will tell you which areas you are non-compliant and which areas you are fully compliant. After a risk assessment, you can decide on a step by step plan to remediate each area of non-compliance.

J.J. Micro provides free HIPAA risk assessments to nonprofit organizations. If after we provide our no strings attached assessment you decide that your organization needs help to become compliant, we will provide you with a quote for our PracticeProtect service. PracticeProtect includes everything you need to be compliant. From encrypted email and storage/backup solutions to privacy policies and training procedures for your staff, we will walk you through each step of the process. Call us today at 636-556-0009 to schedule your free HIPAA risk assessment.