Giving Compass' Take:

• Nonprofit Quarterly reports on a nonprofit in Buffalo, NY, which recently paid $200,000 in penalties for violating the Health Insurance Portability and Accountability Act (HIPAA) after information from its patients was inadvertently exposed online.

• As this post emphasizes, nonprofits that collect personal health data electronically have to guard against hacks and security breaches. Is your organization adequately prepared?

• Many healthcare orgs lack cyber insurance: Here's why that's a mistake.

Breaches of patient privacy in the U.S. healthcare field cost $6.2 billion each year. When we hear of massive HIPAA breaches, we most often associate them with large hospitals and their systems. However, any nonprofit organization that collects electronic personal health information (ePHI), including social service organizations, needs to pay very close attention to risk assessments for data breaches — both if they perform them and how well.

The Arc of Erie County in Buffalo, N.Y., found this out the hard way. The nonprofit, which serves people with developmental disabilities, will pay $200,000 in penalties for violating HIPAA. (The 1996 Health Insurance Portability and Accountability Act was enacted in 1996 to ensure that US organizations protect the privacy and security of health information.) In early February 2018, the Arc of Erie County learned clients’ ePHI, including full names, Social Security numbers, gender, race, primary diagnosis codes, IQ scores, insurance information, addresses, phone numbers, dates of birth, and ages, were exposed on its website.

Even though the agency reports that the site was only for internal use, HIPAA has strict guidelines on how healthcare organizations need to handle ePHI. It mandates a thorough risk analysis of their systems. Had the Arc of Erie County conducted such analysis, they would have been aware of their vulnerability due to an openly accessible patient record system. Since 2015, 3,751 of The Arc’s clients were affected when unauthorized third parties accessed information. Officials said there is no evidence of malware on the system or ongoing communications with outside IP addresses.

Read the full article about patient health information privacy by Meredith Betz at nonprofitquarterly.org.