Little Green Light is a cloud-based donor management system for fundraisers.
Subscribe to get our latest product updates, best practices and tips to grow your nonprofit.
This post contains an explanation of what medical data is and how it relates to HIPAA compliance as well as guidance on how to think about using versus not using medical data for your organization’s purposes.
Medical, or health, data or information is any data “related to health conditions, reproductive outcomes, causes of death, and quality of life” for an individual or population. Health data includes clinical metrics along with environmental, socioeconomic, and behavioral information pertinent to health and wellness.
–Wikipedia (2025), https://en.wikipedia.org/wiki/Health_data#cite_note-1
If your nonprofit has access to medical information for any persons that engage with your organization, it is incredibly important to do a thorough review of what that data is, whether it should be retained, what your retention and disposal requirements are, and to ensure you’re using the most secure option to safeguard medical confidentiality and privacy.
When it comes to medical information, the best practice is if you have no need for that information for operations or services, do not collect it! Medical confidentiality and privacy laws are incredibly complex. Medical confidentiality clauses exist not only in laws specific to medical care, but also in a variety of other laws and regulations, and you must ensure you are in compliance on the federal, state, and local level in terms of how medical data is stored and accessed. If you collect or have in the past collected medical data, your organization needs to do a thorough review of all potential laws and regulations that apply and should optimally create a legal register of all the legal and regulatory requirements your organization needs to comply with.
While many organizations will likely not be considered a covered entity under HIPAA, using HIPAA as a best practice guide can help ensure you are not risking any constituent’s private medical data.
The core of the HIPAA guidance is the “minimum use” rule establishing that “protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.” In other words, you should never store data just to have it. It should always serve a purpose or have a necessary function.
If you have reviewed your needs for medical data and decided that you shouldn’t be storing it, but you have done so in the past, it is important to audit your database and remove that information, keeping in mind that you must also protect that information as you dispose of it. You may also want to audit any storage drive/s that could contain reports or other copies of that data.
If you have reviewed the minimum use rule and determined that medical data is required for your organization, your next steps are ensuring you are properly storing Protected Health Information (PHI).
According to the U.S. Department of Health and Human Services, “Protected Health Information (PHI) is information, including demographic information, which relates to:
· the individual’s past, present, or future physical or mental health or condition,
· the provision of health care to the individual, or
· the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient’s name and/or other identifying information associated with the health data content.”
–U.S. Department of Health and Human Services (2025), Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html#protected
Medical records require encrypted storage, controlled access, and regular audits of the system. While LGL has excellent security for a donor management system, it is not built to manage medical records.
When medical data is present, only those who directly work with that information should access it. Electronic medical records databases are built with these protections in mind and have complex user roles that allow you to limit access to PHI. In LGL, any team member/user in your account (at minimum, any team member assigned the Administrator permission role) would have the potential to access PHI, which may constitute a violation of medical confidentiality. In addition to your team members/users, you are also exposing medical data to the LGL team, as they can also see any medical data you store in LGL.
The lack of user controls can also increase your risks of a data breach (e.g., a laptop is stolen, etc.). You would need to notify anyone whose data was potentially impermissibly used or disclosed (breached), including donors. By ensuring that you are properly storing your data separately from your donor database, using encrypted applications for medical information, and using proper controls, you can greatly reduce your risk for a medical breach. In addition, staff that work with medical data of any kind need to be trained on the appropriate storage, retention, and disposal protocols and ensure they never document medical information in LGL.
A person can volunteer medical information. This does not mean your organization should document that information. Once that data is stored, you are creating a huge vulnerability if it is stored in a database like LGL that can be accessed by multiple people at multiple levels who have nothing to do with that medical information (whether it be services provided or just documented information).
You are a medical equipment nonprofit receiving medical devices as donations and operating a loan program for that equipment.
Someone donates a knee scooter to your program. They mention that they are finally recovered from their knee surgery and no longer need the scooter.
In LGL:
· Enter the constituent and add the In Kind donation of a knee scooter
· Do not document the comment about the knee surgery; while the donor offered this freely in conversation, it is medical data and therefore should not be documented in your donor database. It is not relevant to the donation, and if you track it you would then be required to protect that PHI
In addition, a note on a monetary donation such as “Sue was so grateful for the loan of the knee scooter after her knee replacement that she wanted to support our org” is inappropriate to document because it has created PHI in your donor management system. Instead, use more general phrasing like “Sue was very grateful for our program when she needed it and wanted to make a donation to support our org.”
As a side note, your loan program should also be managed in its own database to avoid any potential medical information being entered in LGL. The loan side of things should additionally avoid documenting medical conditions/information unless explicitly needed and protected.
In another scenario, if your organization provides information on a variety of health issues and you want to track which topics people are interested in, that is fine; just don’t phrase it in a way that indicates the person has any particular medical condition. As an example, on your form you’re using to collect the data, you can ask if they are interested in topics x, y, or z, but not if they have ever experienced conditions x, y, or z.
In addition to all of the concerns listed above, storing medical data means you also need to be cognizant of any consent and disclosure requirements for anyone you are storing medical data about. Requirements may vary, but your organization needs to know when you need to notify people that their data will be stored, how it will be stored, how it will be used, and even for any reason it would be disclosed or if additional consent would be requested to disclose that information.
About this post’s guest author
Kristin Whipple’s over 25 years of experience in database management (including data migrations, implementation, process development, process improvement, audits, and training) began in Occupational Health and Safety. This includes over a decade managing electronic medical records systems and two years consulting for hospitals and corporate occupational health departments on electronic medical record implementation, management, and legal and regulatory compliance. Shortly after Kristin left the industry, a friend asked for help setting up a donor management system for a nonprofit organization. That nonprofit became her first LGL client, and Kristin has been happily working with nonprofits ever since. She is a proud member of the LGL Consultant Network and truly enjoys working with many different organizations.
Ready to try LGL? Get your first 30 days free. No credit card required.