There are more than 1.5 million nonprofit organizations in the United States. Of those, the National Center for Charitable Statistics estimates that over 170,000 are in the health related sector. Many of these health services nonprofits are currently unaware that HIPAA laws apply to them. This leaves nonprofits vulnerable to not only audits from the Department of Health and Human Services but to actual breaches of data that will affect your patients and clients.
The Office of Civil Rights (OCR) will not hesitate to levy a fine on a nonprofit if a data breach were to occur. And the risk of data breach is high. A stolen laptop or mobile device can easily contain hundreds of patient medical records. And the fine can be as high as $50,000 per medical record breached.
There is a simple litmus test to decide if HIPAA laws apply to your nonprofit. Do you store any of the following information for your patients, clients, members, or benificiaries?
- Any past or present health conditions — either physical or mental
- Any past, present, or future planned medical treatment
- Any past, present, or future payment information for medical care
If any of the above data is stored with any of the following unique identifiers, your nonprofit must be HIPAA compliant. There are 18 traits that HIPAA looks for to identify someone:
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
It is rare that an organization would have health data on individuals without personally identifying those individuals. An example would be an organization that does research on the effects of a certain disease on the population of the United States. If the data was sanitized of any personal identifiers, and only showed effects on the general population in aggregate, HIPAA laws would not apply. But this is a narrow subset of data. Most data does include at least one or two personal identifiers.
So what should a nonprofit who stores health information do? HIPAA compliance is a very broad set of rules that range from administrative responsibilities and privacy training to IT related security. There are hundreds of things to check during a security audit and many small organizations don’t know where to start. Don’t let yourself become overwhelmed. With some help, a nonprofit can go from non-compliant to fully compliant in as little as 30 to 60 days. The first step is to perform a HIPAA risk assessment. This will help you decide where you are being compliant and where you are not. After a risk assessment, you can decide on a step by step plan to remediate each area of non-compliance.
J.J. Micro provides free HIPAA risk assessments to nonprofit organizations. If after we provide our no strings attached assessment you decide that your organization needs help to become compliant, we will provide you with a quote for our PracticeProtect service. PracticeProtect includes everything you need to be compliant. From encrypted email and storage/backup solutions to privacy policies and training procedures for your staff, we will walk you through each step of the process. Call us today at 636-556-0009 to schedule your free HIPAA risk assessment.