Does HIPAA Apply to Nonprofit Organizations?

Does HIPAA Apply to Nonprofit Organizations

Does HIPAA apply to nonprofit organizations? Many nonprofit organizations wonder whether or not they need to be HIPAA compliant. The answer is simple. If you work with protected health information (PHI) in any capacity, you are required to be HIPAA compliant. HIPAA requires specific measures to be in place, however, the requirements differ depending on the type of nonprofit organization you are. To provide guidance to nonprofit organizations, HIPAA compliance for nonprofits is discussed.

Are You Working with Protected Health Information?

Before we get into specific HIPAA requirements, it is important to understand what protected health information (PHI) is to determine if you are working with PHI. PHI is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them. This can be related to past, present, or future treatment.

The Department of Health and Human Services (HHS) categorizes PHI into 18 HIPAA identifiers as follows:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Let’s Simplify Compliance

Are you a nonprofit that needs help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

What is a Covered Entity?

HIPAA regulation defines covered entities as healthcare providers, health plans, and healthcare clearinghouses involved in the transmission of protected health information. This transmission can take place for the purpose of payment, treatment, operations, billing, or insurance coverage. Covered entities can include organizations, institutions, or persons.

Some examples of covered entities include:

  • Community health providers
  • Hospitals
  • Clinics
  • Health insurance providers (including self-insured)
  • Nursing homes

What is a Business Associate?

Business Associates are contracted by covered entities to perform a service that may involve  the use or disclosure of protected health information. Although they don’t necessarily work with PHI, they may have potential to access it through the services they provide.

Some examples of business associates include:

  • Managed service providers
  • Software providers
  • Third-party claims processors
  • Consultants
  • Healthcare attorneys