Yes, nonprofit organizations in the medical space such as community health clinics, charitable hospitals, free care providers, and health advocacy groups need to be HIPAA compliant. Nonprofit status does not give exemption from HIPAA.
What HIPAA covers
HIPAA was enacted to protect the privacy and security of individuals' health information. The law applies to what are called "covered entities" and their "business associates." Under 45 C.F.R. § 160.103, a covered entity is defined as, "(1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter."
This definition makes no reference to profit motive or tax-exempt status. Therefore, a nonprofit community clinic that bills Medicaid electronically qualifies as a covered entity and must comply with HIPAA.
What counts as health information under HIPAA?
HIPAA's protections are based on what the regulation defines as "individually identifiable health information." Under 45 C.F.R. § 160.103, "Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual."
When this individually identifiable health information is held or transmitted by a covered entity or its business associates, it becomes protected health information (PHI), the category subject to HIPAA's privacy and security requirements.
PHI includes not just clinical records and diagnoses, but also appointment dates, billing records, insurance information, demographic data such as names and addresses, and any other information that could reasonably be used to identify a patient and connect them to their healthcare. For nonprofits, this means that intake forms filled out by walk-in patients, donor records that include health history, and even sign-in sheets at a community health event can all be PHI if they are held by a covered entity.
The rules that apply
1. The Privacy Rule
The Privacy Rule governs how covered entities may use and disclose PHI. The principle is that without a specific permission or exception recognized by the rule, a covered entity may not use or disclose PHI without a valid written authorization from the patient.
The rule establishes several contexts in which PHI may be used or disclosed without authorization such as for treatment, payment, and health care operations but these exceptions are defined and limited.
For instance, a charitable hospital cannot share a patient's information with a donor funding its programs, a community health clinic cannot discuss a patient's condition with a referring church or faith-based partner and a free care provider cannot include patient stories in fundraising materials without a compliant, written authorization.
Learn more: What is the HIPAA Privacy Rule?
2. The Security Rule
The Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Under 45 C.F.R. § 164.306(a), covered entities must, "(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information."
This means nonprofits operating on limited budgets, shared computers, volunteer staff, and free or low-cost software still need to meet the legal obligations set by the Security Rule.
Learn more: What is the HIPAA Security Rule?
3. The Breach Notification Rule
Under 45 C.F.R. §§ 164.400–414, covered entities are required to notify affected individuals, the Secretary of Health and Human Services, and, in cases involving more than 500 residents of a state, prominent media outlets following the discovery of a breach. Notification to individuals must occur without unreasonable delay and no later than 60 calendar days after discovery of the breach.
Nonprofit organizations that suffer a data breach, through a stolen laptop, a phishing email, or a misdirected fax, have the same notification burden as any health care provider.
Learn more: Navigating HIPAA’s Breach Notification Rule
Business associates
Under 45 C.F.R. § 164.502(e) and § 164.504(e), a covered entity may not disclose PHI to a business associate unless it obtains assurance, in the form of a business associate agreement (BAA), that the associate will appropriately safeguard the information.
A "business associate" under 45 C.F.R. § 160.103 includes any person or organization that, "creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter."
This includes cloud storage providers, IT support contractors, billing services, fundraising platforms, and even certain volunteers who handle patient data. Nonprofits that share PHI with any of these parties without a signed BAA are violating HIPAA.
Penalties apply equally regardless of nonprofit status
The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces HIPAA. The civil monetary penalty amounts were updated in January 2026 to reflect annual inflation adjustments required under federal law, which OCR applies to keep penalty ranges aligned with current dollar values. Civil monetary penalties are tiered under 45 C.F.R. § 160.404 based on the level of culpability:
- Did Not Know: $141 to $71,162 per violation, with an annual cap of $2,134,831 for identical violations.
- Reasonable Cause: $1,424 to $71,162 per violation, with the same annual cap.
- Willful Neglect, Corrected: $14,232 to $71,162 per violation, with the same annual cap.
- Willful Neglect, Not Corrected: $71,162 per violation, with the same annual cap.
Real-world example: Montefiore Medical Center
In 2024, Montefiore Medical Center, a nonprofit health system based in New York, settled a HIPAA investigation with the OCR for $4.75 million following a breach that had gone undetected for two years.
The breach began in 2013 when a Montefiore employee stole the ePHI of 12,517 patients and sold it to an identity theft ring. The breach was only discovered in 2015, when the New York Police Department alerted the hospital. The OCR's investigation found multiple Security Rule violations, including failures in risk analysis, inadequate monitoring of information system activity, and insufficient policies and procedures.
Former OCR Director Melanie Fontes Rainer stated, "Cyber-attacks do not discriminate based on organization size or stature, and it's incumbent that our health care system follow the law to protect patient records."
As part of the settlement, Montefiore was required to complete a risk assessment, provide targeted workforce training, and submit to two years of OCR monitoring. The financial penalty was $4.75 million.
What nonprofits should do
The compliance requirements for nonprofit medical organizations are the same as that of any covered entity:
- Conduct a risk analysis: Required under 45 C.F.R. § 164.308(a)(1), this is a documented assessment of potential risks and vulnerabilities to ePHI.
- Appoint a privacy officer and a security officer: Mandated by 45 C.F.R. § 164.530(a)(1) and § 164.308(a)(2) respectively.
- Train staff: Under 45 C.F.R. § 164.530(b), covered entities must train all members of their workforce on HIPAA policies and procedures as necessary and appropriate for them to carry out their functions.
- Execute business associate agreements: Review all vendor and contractor relationships and ensure BAAs are in place for any party that accesses PHI.
- Develop and enforce written policies: Required under 45 C.F.R. § 164.530(h)(i), these must be implemented, maintained, and updated as needed.
FAQs
Does HIPAA apply to nonprofit organizations that only provide free care and never bill insurers?
If a nonprofit transmits any health information electronically in connection with a covered transaction it qualifies as a covered entity regardless of whether it charges patients directly.
Can a nonprofit avoid HIPAA obligations by handling all patient records on paper?
While the Security Rule applies to electronic PHI, the Privacy Rule covers PHI in all forms, that is oral, written, and electronic.
Are volunteers at a nonprofit health organization subject to HIPAA?
Yes, HIPAA's workforce definition includes volunteers.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
