Log In 
HIPAA was written for healthcare providers, health plans, and healthcare clearinghouses. Most nonprofits are none of those things, which creates genuine uncertainty about whether and how HIPAA applies to them. The short answer is: it depends on what your organization does and what data it handles.
Covered Entities vs. Business Associates
HIPAA defines two main categories. Covered entities are healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses. If your nonprofit operates a clinic, provides home health services, runs a mental health practice, or manages a substance use treatment program, it may be a covered entity.
Business associates are organizations that handle protected health information on behalf of covered entities. If your nonprofit provides services to healthcare organizations and those services involve handling their patients’ health information, you may be a business associate even if you’re not a healthcare provider. Care coordination organizations, social services agencies that receive referrals from hospitals, and housing programs connected to healthcare systems often fall into this category.
Where Nonprofits Often Get It Wrong
The most common mistake is assuming that nonprofit status means HIPAA doesn’t apply. It’s irrelevant to HIPAA classification. What matters is whether you’re providing healthcare services or handling PHI on behalf of someone who does.
The second common mistake is handling data that qualifies as PHI through non-compliant channels because the organization isn’t sure whether the requirement applies. Uncertainty doesn’t create a compliance safe harbor.
When HIPAA Clearly Applies to Nonprofits
HIPAA clearly applies when your nonprofit:
- Provides direct healthcare services including mental health counseling, substance use treatment, home health, or clinical care
- Operates under a contract with a covered entity that involves handling patient records
- Receives referrals from healthcare providers with attached health information
- Manages care coordination that requires access to clients’ health records
- Collects health information including diagnoses, treatment histories, or medication information as part of program intake
What HIPAA Compliance Actually Requires in Practice
For most nonprofits, the practical requirements come down to: use a platform that provides HIPAA-compliant hosting and will sign a Business Associate Agreement, implement role-based access so staff only see the data they need, log access to protected records, and have written policies covering how PHI is handled.
The platform question is the first and most foundational one. If your client database or intake forms are on a platform that won’t sign a BAA, you have a compliance gap regardless of how well your internal policies are written.
What HIPAA Compliance Costs for a Nonprofit
Enterprise HIPAA software pricing was historically designed for large healthcare organizations. Knack Health offers HIPAA-compliant plans with signed BAAs starting at $625 per month, flat-rate, with no per-user fees. Nonprofit pricing is available on annual plans.
See Knack Health nonprofit pricing. →
| HIPAA-ready infrastructure at nonprofit pricingKnack Health provides HIPAA-compliant hosting, a signed BAA, encrypted data, and role-based access for nonprofits that handle protected health information. Flat-rate plans start at $625/month. Nonprofit discounts available. Learn more. → |
3 Easy Ways to Start Building For Free
1. Generate an App with AI
2. Use one of our templates
3. Import your own data
Free 14-Day Trial. No Credit Card Required
Frequently Asked Questions: HIPAA Compliance for Nonprofits
Do we need a HIPAA compliance officer?
HIPAA requires covered entities and business associates to designate a privacy officer and a security officer. For small organizations, these roles are often filled by the same person alongside other responsibilities. The requirement is that someone owns the compliance function, not that you have a dedicated full-time HIPAA staff member.
What is a Business Associate Agreement and do we need one?
A BAA is a contract between a covered entity or business associate and any vendor that handles PHI on its behalf. Without it, using the platform for PHI is a violation regardless of the platform’s security features. Knack Health signs BAAs for covered entities and business associates on HIPAA plans.
Contact Knack Health about a BAA. →
What counts as protected health information?
What counts as protected health information?
PHI is individually identifiable health information held or transmitted by a covered entity or business associate. That includes information that identifies or could reasonably identify an individual and relates to their past, present, or future physical or mental health, healthcare provision, or payment for healthcare. Names combined with diagnoses, dates of service, or treatment history are PHI.
We’re a small organization. Is HIPAA enforcement really a risk for us?
HIPAA enforcement actions have been taken against small covered entities and business associates. More practically, a data breach involving client health information creates reputational and operational harm independent of regulatory fines. Compliance protects your clients as much as it protects your organization.
