There are an astonishing number of U.S. charities working in healthcare — just under 40,000. Some of the largest nonprofits in the country work in this field, which comprises over 12 percent of the charitable sector. Add to that the organizations that work in some way with health records and the number goes up even more.
HIPAA is the body of U.S. law that makes the rules for the safe, secure handling of protected health information. Below we'll say a bit about what HIPAA compliance entails for organizations working with health records and also some of the HIPAA-compliant TechSoup products that can help you safeguard patient privacy.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that was enacted in 1996. HIPAA was created primarily to modernize the handling of healthcare records for the information age. The law has requirements on how individuals' health information (known as "protected health information") is maintained and protected from fraud and theft by any organization that handles health records.
Nonprofits that deal in any way with protected health information (PHI) must have physical, IT network and process security measures in place and follow them to ensure HIPAA compliance. Nonprofits that don't comply with HIPAA rules can face thousands of dollars in fines — as much as $50,000 per violation.
How to Comply with HIPAA When Serving Your Clients
There is quite a lot extra to do for charities that handle medical records in any way. Here is a partial list of some major requirements to be in HIPAA compliance.
- Do six required annual audits and assessments and keep documentation to show you have conducted them for the past six years. Find a list of them here.
- Develop policies and procedures for providing patients with access to their health information. Also provide patients or clients with a HIPAA Notice of Privacy Practices and Client Rights document to read and sign. Find an example here (PDF).
- Maintain a secure HIPAA-compliant database and ensure that your cloud storage provider is actively HIPAA-compliant.
- Ensure that employees authorized to handle protected health information transfer data using encryption and unique usernames and passwords. Employees must also undergo annual HIPAA training.
- Do regular audits of who and how HIPAA records are being accessed and handled to identify any suspicious activity.
- Identify all of your vendors and business associates and have written HIPAA agreements with them. Also perform regular annual due diligence on their HIPAA compliance.
- Create a plan for security breaches and have policies and procedures in keeping with the annual HIPAA Privacy, Security, and Breach Notification Rules. Your remediation plans must be fully documented in writing.
Find a full checklist of HIPAA compliance requirements here (PDF) courtesy of HIPAA Journal.
TechSoup Products for HIPAA Compliance
TechSoup has many HIPAA-compliant donated and discounted products for our members. We list several of them below in the areas of cybersecurity, file sharing, data storage and recovery, identity management, online office suites, faxing, and online meetings.
HIPAA privacy rules require any company or nonprofit that handles medical data (defined under HIPAA as "covered entities") to have a signed Business Associate Agreement (BAA) with every vendor you use that may come in contact with protected health information.
DocuSign is the industry leading e-signature and transaction management software. It enables TechSoup members to sign, send, and manage digital documents on the Internet. DocuSign supports HIPAA in all plans, but a Business Associate Agreement requires an Enterprise account available with TechSoup's DocuSign Advanced Solutions offer. Here is the DocuSign HIPAA compliance document (PDF) for your lawyer and IT support person.
Dropbox offers secure online file sharing services to TechSoup members so you can collaborate on content with team members. Here is the Dropbox Getting Started with HIPAA document (PDF) for your lawyer and IT support person.
Google Workspace for Nonprofits (formerly called G Suite) is Google's cloud-based office and productivity suite. It features secure business apps like Gmail, Docs, Calendar, Drive, and Google Meet. See Google's G Suite and Cloud Identity HIPAA Implementation Guide (PDF) for your lawyer and IT support person.
iFax is a new TechSoup partner. This is an online faxing platform that enables TechSoup members to send and receive faxes securely from any device while maintaining HIPAA compliance. Many health companies and pharmacies use faxing technology for better patient security. Here are the iFax Tips for HIPAA Compliant Faxing for your lawyer and IT support person.
Microsoft Office 365 and Microsoft 365
Microsoft Office 365 and Microsoft 365 productivity suites have industry standard apps like Microsoft Word, Excel, PowerPoint, Teams, SharePoint, and many others necessary for running an organization.
TechSoup recommends that you acquire E3 licenses for either Office 365 or Microsoft 365. This comprehensive license allows you to configure HIPAA-compliant data-loss and item-level-encryption controls. See much more about our recommendation here.
See the Microsoft whitepaper on HIPAA compliance (PDF) for their Office suites, including video conferencing and collaboration using Microsoft Teams, for your lawyer and IT support person.
Okta is state-of-the-art cloud-based identity and access management software. It links all your apps, logins, and devices into a unified digital fabric. Okta's HIPAA-compliant cell is specifically designed to meet HIPAA requirements. It provides end-to-end encryption of data to dedicated hardware. Okta enables organizations to manage employee, vendor, and patient identities with a single, secure solution. Download the Okta Security Technical Whitepaper for your lawyer and IT support person.
Veritas is backup and restore software to protect your networked computers against potential data loss either from user error or from malware. This is a critical function for HIPAA compliance, especially in regard to your required plan for security breaches. See the Veritas Solutions for Healthcare (PDF) to inform your lawyer and IT support person.
Zoom offers video and audio conferencing tools to nonprofits to communicate with colleagues, volunteers, and constituents. With rapidly increasing telehealth exchange of medical information online, Zoom is also an essential tool for HIPAA compliance.
The HIPAA-compliant version of Zoom Meetings comes at no additional cost and is available for U.S.-based organizations when setting up a new Zoom Meetings Pro plan with a maximum of nine licenses. If you have an existing Zoom Meetings Pro plan and need HIPAA compliance, or if you need more than nine licenses, contact Zoom's sales team directly to enable HIPAA compliance.
Bringing Your Nonprofit into Better HIPAA Compliance
If your organization handles protected health information, we hope this information gives you a good idea of how to bring your nonprofit into better HIPAA compliance. As always, we hope that our ever-increasing number of HIPAA-compliant donated and discounted products will be a help as well.
- A recording from TechSoup Courses: Ask the Expert — HIPAA Compliance on Cloud Products
- More to check out from TechSoup Courses:
- 6 Device Security Tips to Keep Your Data Safe
- Cybersecurity in the Time of COVID
Top photo: Shutterstock