On almost every seminar trip, I get this question: “I’m a non-profit. Do I have to comply with HIPAA?” So now close to a decade after the privacy rule compliance date, people apparently still don’t know the answer to this question. Sometimes, however, I think that they do know the answer but are trying to set me up to cut the prices of my compliance products or consulting because they are poor non-profits.
First of all, what do we mean by non-profit or not-for-profit? One definition means a for-profit that for whatever reason is not making a profit. That is not, however, the type of non-profit that we are talking about here.
The non-profit entity that we are discussing is an organization that uses surplus revenues to achieve its goals rather than distributing them as profit or dividends and qualifies under Internal Revenue Code Section 501(c) so as not to have to pay taxes on those surplus revenues. In other words, the “profits”—that is, the revenues over and above the entity’s expenses— must go to the charitable purpose of the entity, such as providing health care to those who cannot otherwise afford it, and cannot go to “owners” of the entity or “members” of the association.
But that requirement certainly does not mean that the entity cannot make a profit. Many large not-for-profits make millions of dollars in “profits.” They just cannot distribute those profits to their members other than paying them a market rate salary for their services. If the entity does distribute its profits by paying greater salaries or awarding outsized bonuses, that distribution constitutes “private inurement”—that is, the profits are inuring (going) to the benefit of the members—which will result in the entity’s losing its tax-exempt status.
So because a non-profit entity may have millions of dollars in excess revenue (which would be profit if the entity were for-profit), HIPAA does not differentiate between for-profit and not-for-profit or non-profit entities. The author cannot recall HIPAA even mentioning such status. Consequently, being a non-profit entity is no defense to a charge of failure to comply with HIPAA.
That is not to say, however, that what is a reasonable and appropriate security measure for a non-profit that has little or no surplus revenues may be a less expensive security measure than a for-profit or a non-profit who has excess revenues because HIPAA authorizes covered entities to consider the cost of security measures in implementing reasonable and appropriate ones.
If you are a non-profit and you have a breach or a complaint against you, the defense of “But I’m a non-profit” clearly will not work. See my earlier blog posts on June 19, 2012, and August 16, 2011, for who must comply with HIPAA.
Because we understand tight budgets, we can work with you to get you compliant in a cost-effective manner through our HIPAA consulting company, EMR Legal.