For nonprofits working to make a difference in the lives of the individuals and families they work with, secure access to personal information is necessary for performing case work and delivering needed services. Laws such as HIPAA, which requires certain guidelines around the safekeeping of electronic protected health information (ePHI), are important for ensuring that the privacy of these individuals is adequately protected. At the same time, nonprofits are often in a position where they must grapple with much more regulatory complexity than the average organization.
For example, Madonna Place is a nonprofit family services organization based in Norwich, Connecticut. Madonna Place’s stated mission is to “provide services designed to strengthen families, promote health, and prevent child abuse and neglect.” To do this work, the organization’s employees are frequently out in the field using laptops and mobile devices, performing home visits with families and holding meetings with other agencies. The devices they carry contain ePHI and case notes on the families they work with—meaning that those devices must be as a secure as if Madonna Place were a hospital.
While safeguarding sensitive data and privacy is certainly an essential requirement for any organization in the healthcare field, regulatory compliance can be particularly complicated for even the most diligent nonprofits. While HIPAA compliance is the top concern, Madonna Place (like other nonprofits) uses its mobile devices in the service of various local, state, federal programs—each governed by separate regulatory and compliance requirements. This means that the different contents of even a single employee’s laptop may be subject to required data protection rules set by several disparate jurisdictions.
Sign up for our free newsletters
Subscribe to NPQ's newsletters to have our top stories delivered directly to your inbox.
By signing up, you agree to our privacy policy and terms of use, and to receive messages from NPQ and our partners.
The stakes for operating within parameters of these regulations is high, since the funding for the nonprofit’s work is dependent on continual compliance. Nonprofits that fail to meet certain data security standards have indeed lost funding, needed equipment and staff, and even had programs canceled. There are cautionary tales like that of the nonprofit Hospice of North Idaho, a well-respected organization that nevertheless had one unencrypted laptop containing ePHI stolen and, in the end, arrived at a $50,000 HIPAA breach settlement following an enforcement action by regulators. Examples like this show that nonprofits absolutely cannot count on sympathy of their good intentions as a protection from fines sizable enough to curtail their operations. Unfortunately, the people that these nonprofits help bear a severe impact from these enforcement actions as well. Strict compliance with HIPAA and other regulatory requirements is critical to letting their good work continue.
When looking at technologies to help meet the task of complying with the range of data security requirements nonprofits face, it’s important to have tools that offer versatility. (At I-M Technology, we currently use Beachhead Solutions’ SimplySecure for this task.) Data encryption is critical and should be in place universally, while other technology capabilities may be valuable situationally. If a mobile device containing ePHI is lost or stolen, it’s important that sensitive information on that device can be remotely deleted, removing the possibility of a data breach. In situations where employees quit or their credentials have likely been compromised, it’s valuable to be able to remotely revoke that user’s access to ePHI. A network admin or managed service provider will also find that having visibility into the state of each mobile device—and, just as importantly, who has been logging into it—is beneficial. Additionally, the ability to set policies around locking a device in response to a number of failed logins or a device going out of contact helps to keep data secure.
Finally, and arguably most importantly, day-to-day employee use requires that data security measures be as invisible as possible to the user, who ought to be able to put their efforts into tackling the needs of their clients, not cumbersome software. With the right solutions and policies in place, nonprofits can safely protect ePHI in their possession, stay on the good side of regulators at all levels, and still have the bandwidth to focus wholly on their important work.
