HIPAA Compliance for Nonprofit Health Organizations and Free Clinics

Nonprofit health organizations and free clinics face the same HIPAA obligations as any for-profit provider, but with a different set of pressures: tight budgets, a workforce that often includes volunteers and rotating students, grant-reporting requirements, and donor relationships that have to be kept separate from patient care. Mission-driven does not mean exempt — what changes is how you have to manage compliance, not whether it applies.

Are you actually a covered entity?

The threshold question for a nonprofit or free clinic is whether HIPAA applies at all. You are a covered entity if you provide health care and transmit health information electronically in connection with a covered transaction — most commonly billing a health plan or Medicaid electronically. A clinic that only provides charity care and never bills insurance electronically may fall outside HIPAA’s definition. But the moment you submit even one electronic claim, run eligibility checks, or use a billing service that does, you are almost certainly covered, and the full Privacy and Security Rules apply. Many clinics assume they are exempt and are surprised to learn an electronic transaction pulled them into scope.

Donor data is not PHI — but keep the wall clean

A defining feature of nonprofit health organizations is that they hold both donor/fundraising records and patient records. Fundraising information by itself is not protected health information. The compliance risk appears when the two mix — for example, using patient treatment information to target a donation appeal. HIPAA permits limited fundraising communications, but it places conditions on using PHI to do so and requires an opt-out. The safest posture is to keep development databases and clinical systems separated, with clear rules about what patient information, if any, may cross over.

Volunteers and students are part of your workforce

Under HIPAA, your “workforce” includes volunteers, trainees, and students working under your direction — not just paid employees. That means volunteer physicians, intake volunteers, and nursing students all need HIPAA training, appropriate access limited to what their role requires, and offboarding when they leave. High turnover makes this harder, so free clinics need a repeatable training-and-access process rather than ad hoc onboarding. Document who was trained and when.

Start with a Security Risk Analysis

Limited budgets are exactly why the Security Risk Analysis matters: it tells you where to spend scarce dollars first. The HIPAA Security Rule requires “an accurate and thorough assessment of the potential risks and vulnerabilities” to electronic PHI, at 45 CFR § 164.308(a)(1)(ii)(A). For a nonprofit clinic, the SRA should map your EHR, any donated or low-cost software, shared workstations, volunteer access, and billing pathways, then rank risks so you can address the most serious gaps with the resources you have. OCR has never accepted “we couldn’t afford it” as a substitute for doing the analysis.

The proposed 2026 Security Rule update

In December 2024, the Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) that would strengthen the Security Rule by making safeguards like multi-factor authentication, encryption of ePHI, and a maintained asset inventory effectively mandatory rather than “addressable.” The rule is not final. If adopted as proposed, organizations would have roughly a 240-day compliance window after the final rule is published. Nonprofits should plan ahead — many of these controls are available at low or no cost — but should not treat any provision as currently required.

How Medcurity helps

Medcurity gives resource-constrained organizations a guided, audit-ready Security Risk Analysis along with the policies, training documentation, and tracking OCR looks for — without needing a full-time compliance officer. Pricing starts at $499/year (about $42/month) for a single organization, which fits most free-clinic budgets; larger nonprofit health systems and networks can request a quote. Helpful next steps are our HIPAA training requirements for 2026 and our HIPAA compliance checklist.

Frequently asked questions

Does HIPAA apply to a free clinic that doesn’t bill insurance?

It depends on electronic transactions. If the clinic never transmits health information electronically for a covered transaction such as a claim or eligibility check, it may not be a covered entity. But if it bills electronically — even through a third party — it is covered and must comply fully.

Do volunteers need HIPAA training?

Yes. Volunteers, students, and trainees who work under your direction are part of your workforce under HIPAA. They need training, access limited to their role, and proper offboarding when their service ends, just like paid staff.

Can we use patient information for fundraising?

Only in limited ways. HIPAA allows certain fundraising communications but restricts using PHI to target them and requires an opt-out. The safest approach is to keep donor and clinical databases separate and avoid using treatment details to drive donation appeals.

How can a clinic comply on a tight budget?

Start with the Security Risk Analysis to prioritize. Many high-impact controls — strong passwords, multi-factor authentication, access limits, training, and documented policies — cost little or nothing. The SRA lets you direct limited funds at the most serious risks first.