Is your Nonprofit in compliance?


Nonprofits need to comply with a variety of laws and regulations. These include federal and state tax laws, labor laws, and consumer protection laws. Making sure you know what the law requires of your organization so you don’t risk sanctions or even closure can help minimize your risks. These considerations can help you better understand some of the compliances you may be required to follow.

NIST 800-171

The National Institute of Standards and Technology special publication 800-171 compliance guidelines can help organizations secure non-classified federal data that may reside on non-federal computer systems. Following these NIST compliance guidelines can help you avoid transgressing federal and state regulations on data storage and system security, even if data is not considered federal data. Your organization may want to use a NIST scoring tool to determine your level of compliance with these guidelines.


The Health Insurance Portability and Accountability Act protects the private health information of individuals in the U.S. This act covers data from any time period and can include diagnoses, test results, prescription information, and other health information of an individual. This act mainly applies to healthcare providers, but if your organization collects private healthcare information, such as to determine eligibility for financial aid, then that information would be protected under this regulation. The penalties for violating HIPAA can be very steep, so you may want to consult with an attorney who specializes in HIPAA regulations to make sure your organization complies.


Federal law protects the privacy of student records under the Family Educational Rights and Privacy Act. Schools that receive funding from a federal government agency or program must comply with the law. Nonprofit organizations that get student record information for aid, scholarships, research, or other reasons may need to comply with this law if they obtain information from a school covered by FERPA. Once a student has reached the age of 18, information rights transfer to the student, who can then decide what information they want to disclose.


The Occupational Health and Safety Administration regulations help businesses and other organizations mitigate hazards in the workplace to reduce injuries and protect the safety of employees. These measures outline the responsibilities of an employer to establish safety protocols, prevent hazards, and post regulatory employee information. OSHA offers training and assistance to employers to maintain these standards in their workplaces.


The IRS regulations regarding tax-exempt status and reporting are familiar to many nonprofits, as the requirements are necessary to start a nonprofit. An organization’s non-profit status can register under several types of tax-exempt statuses and filing for each might have slightly different requirements. It may help your organization to make yearly appointments with a lawyer and CPA to make sure your organization fully complies with government tax requirements.


Fundraising can be subject to a number of state and federal laws. Many states require nonprofits to register and obtain a license to be able to raise funds. This licensing is separate from tax-exempt status. The requirements for this type of license varies by location, so you should visit your state’s website to determine the level of licensing your organization requires.

Keeping detailed records of your financial data, visitors, demographics served, safety guidelines, and security measures can be very helpful if you receive any inquiries about your regulation compliance. Organizations that do not comply with the law may lose their tax-exempt status, have to repay taxes or face fines. Keeping you and your organization informed about what the law requires for your organization, so you don’t run the risk of being sanctioned or closed, can help mitigate your risks.