The words “HIPAA compliance” can stop nonprofit tech conversations in their tracks.

Suddenly, people get nervous. Legal gets looped in. Sales cycles slow down. And perfectly good technology decisions stall because no one is quite sure what’s allowed, what’s risky, or what’s just misinformation passed down from a decade-old RFP.

HIPAA matters. A lot.

But it’s also widely misunderstood.

Especially when it comes to nonprofit CRMs.

So let’s demystify HIPAA and figure out exactly how compliance plays into the technology your nonprofit chooses.

What HIPAA Actually Is (and Isn’t)

HIPAA, short for the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996. Its job is to protect sensitive health information and regulate how that information is collected, stored, accessed, and shared.

HIPAA applies to two groups:

• Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses
• Business associates, meaning vendors that handle protected health information (PHI) on behalf of covered entities

Here’s the key thing most people miss.

HIPAA is not about buying the “right” software.

It’s about how your organization handles data.

Policies, access controls, training, enforcement. These are HIPAA’s main concerns.

When HIPAA Applies to Nonprofits

Not every nonprofit is subject to HIPAA; in fact, many aren’t.

HIPAA typically applies to nonprofits that provide health-related services or manage clinical or care-based information. This includes organizations like:

• Behavioral and mental health providers
• Substance abuse and recovery programs
• Free or low-cost medical clinics
• Hospice and palliative care organizations
• Disability services organizations
• Domestic violence shelters and crisis centers
• Veteran service organizations offering health-related services
• Community health outreach programs

There’s also an important nuance here. Some nonprofits choose to follow HIPAA standards even when they’re not legally required to. That’s often driven by funder requirements, partnerships, or a commitment to protecting especially vulnerable populations.

So yes, HIPAA compliance can be mandatory. But sometimes, it’s voluntary and strategic.

When HIPAA Does Not Apply

HIPAA does not apply simply because your organization works with people.

It also does not apply because you store names, emails, phone numbers, or donation history.

If your nonprofit is managing donor records, volunteer engagement, event participation, or general program participation, you are typically dealing with personally identifiable information, not protected health information.

That distinction is everything.

PII vs. PHI

Most HIPAA confusion comes down to one simple thing: mixing up PII and PHI. Let’s look at what those acronyms mean and how they apply to nonprofits.

PII (Personally Identifiable Information) includes information that identifies a person but is not health-related. Think names, email addresses, phone numbers, mailing addresses, dates of birth, and internal constituent IDs. This is the kind of data nonprofit CRMs are built to manage.

PHI (Protected Health Information) is PII plus a health-related context. That includes medical diagnoses, treatment details, therapy notes, health-related case notes, appointment information related to care, and insurance data.

Put another way, PHI is PII plus health data.

CharityEngine, like most nonprofit CRMs, is designed to manage PII. It is not a clinical system, an electronic health record, or a medical case management platform.

And that’s intentional.

Why HIPAA Compliance Matters So Much

For organizations that handle PHI, HIPAA compliance isn’t a “nice to have.” It’s your duty and obligation.

It protects deeply personal information. It preserves trust. And it’s often required for funding, grants, and institutional partnerships.

The risks of non-compliance are real. Civil and criminal penalties. Lost funding. Reputational damage. Mandatory audits and corrective action plans.

So yes, HIPAA matters.

But that doesn’t mean every system your nonprofit uses has to be a medical-grade platform.

Time to Debunk the Myth

There is no such thing as HIPAA-Certified software.

HIPAA does not certify software.

There is no official HIPAA badge.

No approval stamp.

No compliance certificate you can buy.

HIPAA compliance depends on organizational safeguards, including:

• Administrative safeguards like policies, training, and enforcement
• Technical safeguards such as access controls, audit trails, and security measures
• Physical safeguards, including device and facility protections

Software supports these safeguards, but software alone does not make an organization compliant.

HIPAA compliance is about discipline and boundaries, not vendor claims. It’s about how your nonprofit handles PHI, not about whether your software is compliant.

Why Nonprofit CRMs Are Usually Out of Scope

Nonprofit CRMs are built to manage relationships.

Fundraising. Communications. Engagement. Reporting.

They are not designed to store clinical records or replace electronic health record systems. CharityEngine does not market itself as a medical or clinical platform, and it shouldn’t.

That’s exactly why CRMs are usually out of HIPAA scope.

If PHI is not stored in your CRM, HIPAA does not magically apply to it.

The real issue isn’t the tool. It’s what you put into it.

Can Donor and Client Data Live in the Same System?

This is where language trips people up.

In nonprofit conversations, “client data” often means program participant data, not medical records. That can include names, contact information, demographics, program enrollment, or non-clinical case tracking.

That kind of data is PII. And yes, it can absolutely live alongside donor data in a CRM.

The problem only starts when “client data” includes health-related details. At that point, it becomes PHI, and it belongs in a secure clinical or case management system, not a general-purpose CRM.

The line is not donor vs client. The line is PII vs PHI.

How Nonprofits Maintain HIPAA Compliance While Using CharityEngine

Plenty of HIPAA-conscious organizations use CharityEngine successfully every day. The key is clarity and governance.

CharityEngine should be used to manage:

• Donor and constituent records
• Fundraising activity
• Communications and engagement tracking
• Relationship management

PHI should live in:

• Electronic health record systems
• Secure clinical platforms
• Role-restricted internal tools designed specifically for health data

CharityEngine supports this separation through role-based user permissions, field-level access controls, and the ability to lock down sensitive information. Combined with clear internal policies, these features help organizations maintain compliance without forcing a CRM to be something it isn’t.

What HIPAA Success Looks Like

HIPAA-compliant organizations tend to get a few things right consistently.

• They understand the difference between PII and PHI.
• They store different types of data in appropriate systems.
• They enforce role-based access.
• They document policies and follow them.

And they do not expect their CRM to replace clinical tools.

When audits or funding reviews happen, they’re confident because their data practices are intentional and defensible.

It's About Education, Not Technology

When HIPAA concerns derail CRM conversations, it’s rarely because the software is unsafe.

More often, it’s because expectations were never set clearly. Teams assume one system should do everything, or vendors don’t explain boundaries, and confusion fills the gap.

But this isn’t a limitation, it’s a messaging opportunity.

Clear positioning up front prevents friction later and helps nonprofits build smarter, more resilient tech stacks.

So Who Owns HIPAA?

HIPAA compliance is an organizational responsibility, not a software feature.

Nonprofits can absolutely maintain HIPAA compliance while using CharityEngine. The key is strong data governance, proper configuration, and a clear understanding of what belongs where.

CharityEngine provides a secure framework for managing donor and constituent data. You stay in control of what information is stored, who can access it, and how compliance is maintained.