Robert Morris University
Current Students   | Faculty   | Staff   | Contact    
Apply Now    Alumni & Friends    Maps & Directions    Login
ABOUT ACADEMICS ADMISSIONS LIBRARY STUDENT LIFE ATHLETICS NEWS & EVENTS GIVING
Skip Navigation LinksFaculty/Staff > Departments & Offices > Research and Outreach Centers > BCNM > We Connect With You > The Technology Initiative at the BCNM > HIPAA, Nonprofits and the Foundation Community
Skip navigation links
We Are BCNMExpand We Are BCNM
We Can HelpExpand We Can Help
We Learn TogetherExpand We Learn Together
We Connect With YouExpand We Connect With You
We Make a DifferenceExpand We Make a Difference
Contact us
HIPAA, Nonprofits and the Foundation Community 

Why HIPAA is Still a Nonprofit Issue
There is a perception problem with the Health Information Portability and Accountability Act of 1996 (HIPAA). Many people assume it is a fait accompli.There are several sets of regulations resulting from this act, however. Of these, the Security Regulations, finalized in February 2003, will probably have the biggest impact on the operations of health and human service nonprofits.

The Security Regulations address computers. Specifically, the Security Regulations address the technological issues of keeping electronic protected health information (PHI) safe and accessible. An organization must comply with the Security Regulations by April of 2005 if it accesses, stores or maintains PHI electronically. To comply, nonprofits may need to implement systems to address the following:inadvertent disclosure through a misdirected email (i.e. those who work with AIDS patients), corruption from viruses or other Internet based threats (i.e. those who store client medication schedules), or computer system failure (i.e. those who bill for services).

Impact on Nonprofit Organizations
At this time, the Bayer Center for Nonprofit Management has two primary concerns about HIPAA and nonprofits:1) nonprofits do not understand HIPAA or the security risks they face and 2) nonprofits lack funding to implement appropriate security controls.

Statistics from the 2002 CSI/FBI Computer Crime and Security Survey as well as industry reports from computer security leaders indicate disturbing trends: the incidence and severity of attacks on nonprofits are growing at a rapid rate, in many cases much faster than any other industry segment.Commonsense practices such as proper backups, a disaster recovery plan, or strong passwords are often deemed by nonprofits to be "too costly," or simply "unnecessary."

As a result, some of the changes health and human services organizations may need to make to become HIPAA-compliant could be more costly than current budgets allow.¿In addition, these changes are operational.This may not only exclude traditional technology funding but present ongoing budget challenges from increased resources needed to maintain more complex technology. It is extremely unlikely that government funding will be available for HIPAA compliance efforts.

Impact on Foundations: Evaluating HIPAA Grant Requests
We would urge the foundation community to be receptive to HIPAA-related technology grant requests.Good compliance plans will be based on a security risk analysis. Not only is the risk analysis a HIPAA requirement, but when done well it will help an organization make sound business decisions to mitigate security threats. As with any technology implementation, the organization must also account for the ongoing financial impact of maintenance and training when preparing compliance budgets and plans.


The Technology Initiative at the Bayer Center for Nonprofit Management is funded by the Buhl Foundation, the Heinz Endowments and by our clients and students. For more information about HIPAA and nonprofit security practices, please contact our Technology Services Analyst.For more information about the Technology Initiative, please contact Jeff Forster, Senior Consultant at 412-397-6005 or forster@rmu.edu.

 
ROBERT MORRIS UNIVERSITY | 6001 UNIVERSITY BOULEVARD | MOON TOWNSHIP, PA 15108 | 800-762-0097