Contact

Nonprofit Cybersecurity Compliance: HIPAA, PCI and Donor Data Frameworks

Cybersecurity Solutions for Small Nonprofits
The short answer: Nonprofits need cybersecurity measures across three areas: applicable regulatory frameworks (HIPAA for organizations handling health data, PCI DSS for those accepting card payments, and state privacy laws for donor records), baseline technical controls (MFA, endpoint protection, encrypted backups, and email filtering), and operational practices (documented policies, staff training, vendor oversight, and incident response planning). Which requirements apply depends on your programs, your data, and where your donors and constituents reside. Scottship Solutions identifies your specific compliance obligations and builds a security program that meets them. Schedule a free consultation →

What You’ll Learn

  1. Why Cybersecurity Obligations Vary by Nonprofit Type
  2. HIPAA — When Does It Apply to Nonprofits?
  3. PCI DSS — Donor Payment Data Compliance
  4. State Privacy Laws That Apply to Nonprofits
  5. The NIST Cybersecurity Framework as an Organizing Structure
  6. Baseline Technical Controls Every Nonprofit Needs
  7. Operational Security Practices
  8. How to Know Where to Start
  9. Frequently Asked Questions
  10. Your Next Steps

Why Cybersecurity Obligations Vary by Nonprofit Type

Not every nonprofit faces the same compliance requirements. A community health center has HIPAA obligations. An arts nonprofit that runs an online donation platform has PCI DSS obligations. A social services organization collecting data from California residents may have CCPA obligations even if it is headquartered in Ohio.

Understanding which frameworks apply is the prerequisite to building a defensible security program — and to avoiding the common mistake of spending limited resources on controls you do not need while leaving required controls unimplemented. Scottship Solutions begins every engagement with a compliance scoping exercise to map your organization’s programs, data types, and geographic footprint to the specific requirements that actually apply.

HIPAA — When Does It Apply to Nonprofits?

HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and to their business associates. For nonprofits, this typically means community health centers and federally qualified health centers providing direct medical care, behavioral health and substance use nonprofits billing insurance or Medicaid, social service organizations that coordinate care or share records with healthcare providers, and employee benefit plan administrators.

If your nonprofit falls into any of these categories, HIPAA requires:

  1. Security Risk Assessment (SRA): A documented analysis of threats and vulnerabilities to electronic protected health information. Required annually and after significant system changes.
  2. Administrative safeguards: Written security policies, workforce training, designated security officer, and contingency planning.
  3. Physical safeguards: Workstation controls, device and media controls, and facility access controls.
  4. Technical safeguards: Access controls, audit controls, transmission security, and automatic logoff.
  5. Business Associate Agreements (BAAs): Any vendor that handles electronic protected health information on your behalf must sign a BAA. Operating without BAAs is a direct HIPAA violation independent of whether a breach has occurred.
  6. Breach Notification: Notify affected individuals within 60 days of discovering a breach, notify HHS, and notify prominent media outlets if the breach affects more than 500 residents in a state.

HIPAA penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. For nonprofits operating on thin margins, an enforcement action is a potentially organization-ending event.

PCI DSS — Donor Payment Data Compliance

The Payment Card Industry Data Security Standard applies to any organization that accepts, stores, transmits, or processes payment card data — including any nonprofit accepting credit or debit card donations. PCI DSS v4.0, mandatory since March 2024, organizes requirements into twelve domains covering network security, data protection, access control, monitoring, and organizational policy.

Most nonprofits use third-party payment processors that reduce PCI scope significantly. However, reduced scope does not mean no obligations. Even with a hosted payment page, you must complete an annual Self-Assessment Questionnaire, run quarterly vulnerability scans if applicable, and maintain a written PCI compliance program.

The simplest way to minimize PCI scope: use a fully hosted payment page where your servers never touch raw card data. If your donation form uses JavaScript that transmits card data through your server, your scope expands significantly — from SAQ A to SAQ A-EP or SAQ D.

State Privacy Laws That Apply to Nonprofits

State privacy legislation has expanded rapidly. The following laws may apply to nonprofits depending on how they collect and process data from state residents, regardless of where the nonprofit is headquartered:

  • California CCPA/CPRA: Applies to organizations meeting revenue or data-volume thresholds. Nonprofit status does not automatically exempt an organization. Grants California residents the right to know, delete, and opt out of the sale of personal information.
  • Colorado CPA and Connecticut CTDPA: Similar consumer rights frameworks with narrower nonprofit exemptions than Virginia’s CDPA.
  • Illinois BIPA: Applies to organizations collecting biometric data from Illinois residents. Relevant for nonprofits using biometric access controls or attendance systems.
  • State breach notification laws: All 50 states have breach notification laws with varying timelines, notification content requirements, and covered data types. Most require notification within 30–90 days of discovery.

The NIST Cybersecurity Framework as an Organizing Structure

NIST CSF 2.0, released in February 2024, is not a legal requirement but is the most widely used framework for organizing a nonprofit cybersecurity program. It covers six functions:

FunctionWhat It Covers
GovernSecurity strategy, policies, roles, risk management
IdentifyAsset inventory, risk assessment, supply chain risk
ProtectAccess controls, data security, training, resilience
DetectMonitoring, anomaly detection, incident analysis
RespondIncident response planning, communications, containment
RecoverRecovery planning, restoration, post-incident improvement

For nonprofits with no existing security structure, start with Govern and Identify, then build Protect controls based on that risk assessment, then layer in Detect and Respond capabilities as budget permits. Scottship Solutions uses the NIST CSF as the organizing structure for nonprofit security assessments.

Baseline Technical Controls Every Nonprofit Needs

  • Multi-factor authentication (MFA): Required on every account with access to sensitive data. Available at no extra cost in Microsoft 365 and Google Workspace nonprofit plans.
  • Endpoint protection: Every device used for work should run endpoint detection and response software. Microsoft Defender, included in Microsoft 365 Business Premium, provides enterprise-grade protection for eligible nonprofits.
  • Patch management: Security updates should be applied within 30 days of release for critical patches. Automate patching wherever possible.
  • Email filtering: Enable advanced phishing and malware protection — Defender for Office 365 in Microsoft 365, or advanced phishing protection in Google Workspace Admin Console.
  • Encrypted backups: Back up all critical data daily to an encrypted, offline or off-site location. Test restores quarterly.

Operational Security Practices

At minimum, a nonprofit should have written policies covering acceptable use, data retention and destruction, vendor management, and incident response. Annual security awareness training is a HIPAA requirement for covered entities and a best practice for all nonprofits. Training should cover phishing recognition, password hygiene, safe remote work practices, and reporting procedures. Review user access quarterly and remove accounts for departed staff immediately.

How to Know Where to Start

The most common mistake nonprofits make is trying to implement every control at once — and then implementing none of them because the scope feels overwhelming. A practical starting sequence:

  1. Determine which compliance frameworks apply (HIPAA, PCI DSS, state privacy laws)
  2. Complete required assessments for each applicable framework (SRA for HIPAA, SAQ for PCI)
  3. Enable MFA across all staff accounts
  4. Conduct a data inventory to know what you hold and where it lives
  5. Implement patching and backup verification
  6. Develop or update an incident response plan
  7. Layer in additional controls based on risk assessment findings

Scottship Solutions facilitates this process, starting with a compliance scoping session that maps your organization to the frameworks that actually apply.

Frequently Asked Questions

Does HIPAA apply to nonprofits?

HIPAA applies to nonprofits that qualify as covered entities or business associates — including community health centers, behavioral health organizations, social service nonprofits that coordinate health-related care, and any nonprofit that handles electronic protected health information on behalf of a covered entity. Nonprofit status does not exempt an organization from HIPAA. If your programs involve health data, contact information with clinical context, or Medicaid billing, a HIPAA compliance review is warranted. Scottship Solutions conducts HIPAA Security Risk Assessments for nonprofit organizations.

What PCI DSS requirements apply to a nonprofit that only accepts online donations?

A nonprofit accepting online donations through a fully hosted third-party payment page typically qualifies for SAQ A — the simplest PCI DSS compliance path, covering approximately 22 requirements. If your donation form uses embedded JavaScript that transmits card data through your servers, your scope expands to SAQ A-EP or SAQ D with significantly more requirements. Using a processor with a fully hosted payment page is the most practical way to minimize PCI compliance burden for small nonprofits.

What cybersecurity policies does a nonprofit need to have in writing?

At minimum, a nonprofit should have a written acceptable use policy, a data retention and destruction policy, a vendor management policy, and an incident response plan. Nonprofits subject to HIPAA are legally required to have written security policies covering all HIPAA Administrative, Physical, and Technical Safeguards. Undocumented policies are effectively no policies in the context of a regulatory investigation or insurance claim — regulators and insurers expect documented evidence of your security program.

What is the NIST Cybersecurity Framework and does a nonprofit need to follow it?

The NIST Cybersecurity Framework is a voluntary set of guidelines for managing cybersecurity risk. Nonprofits are not legally required to follow it, but it is the most widely used organizing structure for building a security program from scratch. NIST CSF 2.0, released in 2024, adds a Govern function covering security leadership and risk management strategy — areas where many nonprofits have the most significant gaps. Scottship Solutions uses the NIST CSF as the baseline framework for nonprofit security assessments.

How does a nonprofit know if it is compliant with state privacy laws?

Start by identifying where your donors, clients, and constituents reside — not where your organization is headquartered. If you have California donors, CCPA considerations apply. If you have Colorado constituents, the Colorado Privacy Act applies. Each state law has different exemptions, thresholds, and requirements. Most nonprofits benefit from a privacy law mapping exercise that documents which laws apply and what internal processes are required. Scottship Solutions includes state privacy law scoping in its compliance assessments. Schedule a free consultation.

Your Next Steps

  1. Identify your applicable frameworks. Ask three questions: Do your programs touch health data? Do you accept credit card payments? In which states do your donors and constituents reside?
  2. Complete the required baseline assessments. HIPAA SRA, PCI SAQ, or privacy law gap analysis depending on your obligations.
  3. Enable MFA on all staff accounts. The single highest-leverage control available at no added cost.
  4. Document your policies. An acceptable use policy, incident response plan, and data retention policy are required regardless of which frameworks apply.
  5. Schedule a free consultation with Scottship Solutions — we map your nonprofit’s programs and data to the specific requirements that apply, then build a prioritized remediation roadmap.

Sources

Josh Bass

Written by

Josh Bass

Cybersecurity Consultant at Scottship Solutions

Josh leads security assessments and compliance audits for mission-driven organizations. He helps nonprofits build defensible security postures, meet HIPAA and state privacy requirements, and respond to threats before they become incidents.

Certifications

CompTIA Security+ Certified

Industries Served

Healthcare & Community Health (HIPAA), Human Services, Child Advocacy, Foundations & Grantmakers
Recent Posts
Categories
Tags
Archives