Hello and welcome to Just Answer. No attorney-client relationship or privilege is formed by speaking to an expert on this site, the answers are for general information. By continuing, you confirm that you understand and agree to these terms.
If you are concerned about potential HIPAA violations, the first step is to confirm whether the non profit is a covered entity under the law. The agency in the federal government that enforces HIPAA, the Office for Civil Rights (“OCR”), covers three major types of covered entities: health care clearinghouses, health plans (including health insurance companies and employer-sponsored health plans), and health care providers that electronically transmit health information in connection with certain transactions, including billing.
Medical records maintained by schools or after school programs or other educational programs, are subject to another federal law, the Family Education Rights and Privacy Act (FERPA).
If covered by HIPAA, the entity must comply with all aspects of the HIPAA rules. It is good practice to have all employee sign a non-disclosure agreement, but it is not required, it is only required that all records be safeguarded. Keep in mind that HIPAA primary goals is a patient’s and parent's right to receive and access his or her medical records.
I hope this helps.