HIPAA Compliance for Nonprofits

It’s been more than two decades since the Health Insurance Portability and Accessibility Act (HIPAA) was introduced, but many nonprofits are still working to implement policies and procedures that ensure the safe handling of all personal health information (PHI). HIPAA compliance for nonprofits can be complex, but the following tips will help to keep you on track.

Technology Considerations for HIPAAPrivacy Concept. Blue Button with Padlock Icon on Modern Computer Keyboard. 3D Render.

The core principle underlying HIPAA is that any organization that provides health services, and which is entrusted with personal health information in the course of providing those services, has a responsibility to do whatever it reasonably can to keep that PHI confidential and safe. 

From a technological standpoint, that means your nonprofit should be:

  • Encrypting sensitive information at all times, both “at rest” (where it is stored) and “in transit” (as it is being processed, submitted, updated, etc.) by way of full-device encryption and secure messaging services such as Zix and Office 365 email.
  • Defending all systems that process or store sensitive information from inappropriate and malicious software, misconfiguration, and unauthorized access.  This generally entails enrolling all end-user devices in a remote management and monitoring toolkit such as Comodo, Kaseya, or Autotask, and/or a Mobile Device Management platform such as AirWatch, MaaS360, or Intune—and configuring these tools to enforce the prompt application of software updates, the presence of up-to-date anti-malware tooling, short screen lock timeouts, and other key security settings.  It may also be useful to enroll end user devices in a tool such as DeepFreeze, which allows PCs to be rapidly restored to a clean configuration at every reboot.
Setting Policies and ProceduresPolicies - Red Ring Binder on Office Desktop with Office Supplies and Modern Laptop. Business Concept on Blurred Background. Toned Illustration.

HIPAA compliance is primarily assessed by lawyers, which means your nonprofit is probably going to need to consult with an attorney and/or with a firm that specializes in HIPAA compliance to generate the documentation trail you need to prove compliance. Speaking of documentation, a big part of HIPAA compliance is having a suite of policies and procedures that cover all of these topics:

  • Baseline security configuration of all IT systems and platforms—what software should be installed, what settings should be applied, what permissions should be given, etc.
  • Software approval and update protocols—list of software that is approved for use in the organization, how frequently all software and hardware in use in the organization is checked for software/firmware updates, what procedures are followed to test new software before it is approved and software updates before they are applied.
  • Account management—what must be done to properly on board new staff and off board departing staff.
  • Data classification and access rules—a list of the various types of personal health information (PHI) the organization handles, who has access to each type, and for what purpose, with an emphasis on making sure that no one ever has more access to PHI than they absolutely need to do their job.
  • Privacy policy—what PHI the organization stores, how it stores that data, who it shares the data with, and for what purpose.
Official policies should be accompanied and reinforced by regular training and short FAQ documents that help staff understand the most important takeaways from the larger polices.
Regular TestingTechnician working on laptop in server room

The last important aspect of HIPAA compliance is regular testing of the processes and protections that an organization has established, to confirm that these defenses are actually keeping the PHI the organization works with sufficiently safe.  Any HIPAA-compliant organization must perform annual risk assessments, including penetration tests—simulated attacks that test how well the organization is defended against common digital threats. 

Have technology questions or want to learn more about how Tech Impact can help your nonprofit?