February 13, 2014

Nonprofits and HIPAA Violations: An Overview

3 min

This article was originally published on GuideStar on February 13, 2014.


We are concerned about potential HIPAA violations. Where can our nonprofit turn to find out if we are violating HIPAA and what we need to do to fix this problem?


The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") impacts any business that is a “covered entity” and those entities that work with them directly or indirectly, known as “business associates.”  HIPAA has been implemented through a series of separate, but inter-connected, regulations.  The Privacy Rule governs the use and disclosure of certain health information that is known as protected health information (or “PHI”), whether in oral, written, or electronic form.  It requires safeguards to protect the privacy of PHI, sets boundaries on uses and disclosures that may be made of such information without patient authorization, and grants patients certain rights regarding their health information.  The Security Rule provides various administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.  Finally, the Breach Notification Rule sets nationwide notification standards for when there is a discovery of a breach of unsecured (i.e., unencrypted) PHI.

If you are concerned about potential HIPAA violations, the first step is to confirm whether you are a covered entity or a business associate.  The agency in the federal government that enforces HIPAA, the Office for Civil Rights (“OCR”), has a website that describes the three major types of covered entities: health care clearinghouses, health plans (including health insurance companies and employer-sponsored health plans), and health care providers that electronically transmit health information in connection with certain transactions, including billing.  You can find this information here.  If you perform certain functions or activities on behalf of, or certain services for, a covered entity involving PHI (directly or indirectly as a subcontractor), you could be (and likely are) a business associate.

Covered entities must comply with all aspects of the HIPAA rules, and business associates are directly liable for compliance with most provisions.  OCR’s website has detailed information regarding the three major provisions of the HIPAA rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.  However, OCR recently released major changes to many provisions of these rules, and the cited webpages have not yet been updated to reflect these changes.  OCR’s website contains a press release providing a brief overview of these changes and a link to the final rule that ushered them in.  A summary of the recently-released rule can be found in this article.

Finally, here are the recordings and streaming PowerPoint presentations/related handout materials for two Summer 2013 Venable webinars on the subject: The Road Map to HIPAA Compliance: What Your Nonprofit Needs to Know and Evaluating Your Nonprofit’s Options under the Affordable Care Act: The Pros and Cons of Health Insurance Alternatives for Your Employees.

* * * * *

The preceding question was submitted through GuideStar’s social networks, and the answer was provided by Thora A. Johnson, Esq., Partner, Venable LLP, Baltimore, MD.

Thora Johnson focuses on tax-exempt organizations, employee benefits and executive compensation matters. She advises clients on the establishment and operation of tax-exempt organizations, including private foundations, public charities, trade associations, and title holding companies. She also counsels clients on the establishment and operation of qualified and non-qualified deferred compensation plans and health and welfare benefit plans.