nonprofits

Read this article if you are a compliance officer, risk manager, or healthcare administrator in an ambulatory care practice, federally qualified health center, or rural health center and have responsibility for developing your organization’s workplace violence prevention program or complying with state reporting requirements.

Did you know workplace violence is increasingly prevalent in the healthcare industry? If your organization doesn’t have a plan, it might be time to consider one. This article addresses the definition and types of workplace violence, regulations, plan elements, and other considerations. 

Workplace violence in healthcare by the numbers 

Data from the US Bureau of Labor Statistics shows that prior to the COVID-19 pandemic, the incidence rate of nonfatal workplace violence to full-time healthcare workers was 10.4 per 10,000 in comparison to an all-worker rate of 2.1 per 10,000. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence.

Post-pandemic, the Bureau of Labor Statistics reported that healthcare and social assistance workers experienced the highest counts and annualized incidence rates for workplace violence of any private industry sector over the two-year period from 2021 – 2022. There were 41,960 total nonfatal cases of workplace violence requiring days away from work, job restriction, or transfer in the healthcare and social assistance industry over this time, accounting for 72.8% of all cases in private industry over the two-year period. These cases occurred at an annualized incidence rate of 14.2 cases per 10,000 full-time workers.

How is workplace violence defined?  

In its 2024 Comprehensive Accreditation Manual for Behavioral Health Care and Human Services Glossary, The Joint Commission (TJC) defined workplace violence as, “Any act or threat occurring in the workplace that can include any of the following: 

• Verbal, nonverbal, written, or physical aggression 
• Threatening, intimidating, harassing, or humiliating words or actions 
• Bullying 
• Sabotage 
• Sexual harassment 
• Physical assaults 
• Other behaviors of concern involving staff, licensed practitioners, patients, or visitors”    

How is workplace violence classified? 

The Institute for Healthcare Improvement (IHI) is a leading, globally recognized, nonprofit healthcare improvement organization that has been applying evidence-based quality improvement methods to meet healthcare challenges for more than 30 years. In its Framework for Standardized Data Collection of Workplace Violence Incidents in Health Care, the IHI classifies workplace violence incidents into five distinct categories: 

• Type 1: The offender has no connection to the workplace or its employees. 
• Type 2: The offender is a customer or patient associated with the workplace or its staff. 
• Type 3: The offender is a current or former employee of the organization. 
• Type 4: The offender maintains a personal relationship with employees but has no ties to the workplace itself. 
• Type 5: Violence motivated by ideological, religious, or political beliefs targeting a healthcare facility, its personnel, or property. This type is carried out by extremists or groups driven by their convictions. 

Have you developed a workplace violence prevention program? 

Key aspects of your healthcare organization’s or practice group’s program should include: 

• Conducting an environmental risk assessment 
• Contacting local law enforcement to build or enhance relationships 
• Performing trend analysis of reported incidents by site, location on the premises, day of week/time of day, and classification type    
• Obtaining feedback from staff: What do they consider to be reportable? This will help you develop meaningful training
• Recognizing staff champions while building the program  
• Testing your reporting system 
• Providing staff training, soliciting anonymous feedback, and identifying any unresolved questions  
• Identifying program gaps and developing remediation strategies 
• Keeping executive leadership and the Board regularly informed about the program and emerging trends or needs 

Which states require employer-sponsored workplace violence prevention programs? 

Two factors have led states to establish requirements for healthcare organizations to develop workplace violence prevention programs. The first reason for state action: There has been no corresponding action by the federal Occupational Safety and Health Administration (OSHA). Secondly, the proposed Workplace Violence Prevention for Health Care and Social Service Workers Act has not been enacted by Congress.  

As of January 2026, 20 states require mandatory workplace violence prevention plans or workplace safety* plans. These are Arizona, California, Connecticut, Illinois, Hawai’i, Kentucky*, Louisiana, Maine*, Maryland, Minnesota, Nevada, New Hampshire, New Jersey, New York, Ohio, Oregon, Texas, Vermont, Virginia, and Washington. 

In addition, seven states now require mandatory reporting of workplace violence incidents to a designated state agency. These states are California, Connecticut, Maryland, Montana, North Carolina, Oregon, and West Virginia.

BerryDunn can help 

Has your healthcare organization developed a workplace violence prevention plan? If yes, has it been reviewed recently? How do you train your staff to respond when a situation escalates? How do you analyze incidents? Do you have questions about your healthcare organization’s compliance with state requirements for submitting its plan?  Does your state require you to submit incident reports to a designated state agency? 

Our healthcare compliance team can help. We incorporate deep, hands-on knowledge with industry best practices to help your organization manage compliance and revenue integrity risks. Learn more about BerryDunn’s healthcare compliance consulting team and services. 

Additional resources for workplace violence prevention planning: 

• Boord J., Weckman A., Martinez N. Framework for Standardized Data Collection of Workplace Violence Incidents in Health Care, Boston: Institute for Healthcare Improvement; 2025. (Available at ihi.org) 
• US Bureau of Labor Statistics: Injuries, illnesses, and fatalities

As we previously wrote about, on February 20, 2026, the US Supreme Court invalidated tariffs imposed under the International Emergency Economic Powers Act (IEEPA).

Last week, the US Customs and Border Protection (CBP) announced a new process that allows importers to request refunds of those tariffs. We'll walk through how to actually claim refunds, what to expect from the process, and where complications can arise.

About the CAPE tariff refund system

CBP’s new system, called CAPE (Consolidated Administration and Processing of Entries), is an added functionality accessed through the existing ACE (Automated Commercial Environment) Portal, which most importers already use for customs reporting.

How to request a tariff refund

To submit a refund claim, importers should take the following steps:

• Confirm that your importer information and ACE Portal account are active and up to date.
• Ensure you are enrolled in ACH Refund (required to receive refund payments).
• Note: If you do not already have an ACE Portal account, be aware that setting one up can take several weeks.

Refund requests are submitted by filing a CAPE Declaration in the ACE Portal. This declaration is a spreadsheet‑style (.CSV) file listing entries eligible for refunds of IEEPA tariffs. Each declaration can include up to 9,999 entries, with additional filings required for larger volumes. CBP provides guidance on how to prepare and submit this file.

Which imports qualify for tariff refunds?

At this time, refund claims are only available for:

• Unliquidated entries
• Entries liquidated within the past 80 days

Other types of entries are currently excluded from the CAPE process. CBP has indicated that future system expansion may allow for the submission of additional types of claims beyond the above. Importers are encouraged to consult with their customs broker or advisor(s) to determine whether any of their imports fall into excluded categories and whether additional steps are needed to protect refund claims.

How long does the refund process generally take?

Once a CAPE Declaration is submitted:

• The invalid IEEPA tariffs are removed.
• Duties are recalculated as if those tariffs never applied.
• Refunds including 6% interest are automatically calculated.
• Payments are made via ACH, generally within 60 – 90 days after acceptance of the CAPE Declaration.

How BerryDunn can help

Our dedicated audit, tax, and consulting professionals understand the impact of tariffs and can assist with developing strategies for refunds as they become available. Learn more about our team and services.

In today’s increasingly digital environment, cybersecurity has become a critical concern for nonprofit (NFP) organizations. While many NFPs operate with smaller teams and tight budgets, they still handle sensitive information—donor records, payment data, client demographics, and sometimes even health‑related or financial assistance files. Unfortunately, cybercriminals recognize this and often view NFPs as soft targets with valuable data. Because community trust is so important, a cybersecurity incident can create financial and reputational hurdles for an organization. The good news, however, is that strong cybersecurity safeguards do not always require major capital investments. With strategic planning and a focus on essential controls, even the most resource‑constrained organizations can significantly reduce cyber risk.

The cyber threat landscape for nonprofits 

NFPs face a wide variety of cyber threats, many of which exploit human error or outdated systems. Phishing attacks remain the most common, often leading to credential theft or unauthorized access to email accounts. Business Email Compromise (BEC) schemes, which can trick employees into sending fraudulent payments or sensitive data by impersonating trusted email addresses, can be particularly damaging for smaller organizations with smaller internal control structures. Beyond causing operational slowdowns, a breach can make donors and other stakeholders more cautious and raise understandable questions. 

Practical, low‑cost cybersecurity strategies 

Despite limited budgets, NFPs can meaningfully enhance their cybersecurity position by focusing on high‑impact, low‑cost strategies. 

Strengthening governance is a key first step. Establishing basic cybersecurity policies—such as acceptable use, password standards, and incident response—creates a foundation for consistent practices across employees and volunteers. Free frameworks, like the NIST Cybersecurity Framework resources, designed originally for government use, but applicable to many organizations, provide a helpful starting point, including a Quick Start Guide for small businesses.

Next, NFPs can maximize the value of technology they already own. Many cloud platforms commonly used in the sector, such as Microsoft 365 and Google Workspace, include built‑in security features at no extra cost. Enabling multifactor authentication (MFA), automatic software updates, and email filtering tools can significantly reduce the likelihood of a successful cyberattack. Removing unused accounts and reviewing permissions helps ensure attackers don't exploit dormant access. We recommend a formal user access review at least annually for small organizations and quarterly for medium-sized organizations or if there is higher turnover at a small NFP. 

Because many cyber incidents stem from unintentional mistakes, training is one of the most cost‑effective defenses. Free or low‑cost cybersecurity awareness programs can be incorporated into onboarding for staff and volunteers. Regular reminders about phishing, safe browsing, and password practices—combined with simple processes for reporting suspicious activity—create a culture of security without significant expense. 

Data protection is another essential component. Tracking where sensitive data resides and limiting access to only those who need it helps reduce exposure. Continuously testing that cloud-based backups are working effectively can ensure critical information is recoverable in the event of a ransomware attack or system failure. We recommend testing data backups at least quarterly, especially with your cloud vendors, to help ensure their responsibilities around data are being upheld.  

Finally, NFPs can leverage outsourced support and community resources. Many managed service providers offer NFPs pricing, and state or local government programs sometimes provide free cybersecurity assessments or monitoring tools. These partnerships allow small organizations to access expertise they may not be able to hire internally. 

The path to cost-effective cybersecurity 

Effective cybersecurity is achievable—even for NFPs with limited resources. By focusing on governance, human awareness, existing technology, and targeted use of outside support, NFPs can build a resilient security foundation without heavy financial investment. With the right culture and controls in place, organizations can protect their data, safeguard their reputation, and continue advancing their mission with confidence.

BerryDunn can help 

We help organizations understand their cybersecurity risk environment and translate threats into leadership-ready insights. Our consultants guide you in identifying actionable next steps, gaining engagement and buy-in from key decision-makers. With deep experience across sectors, we deliver practical cybersecurity solutions tailored to your systems and compliance needs. Learn more about our team and services. 

For many people, charitable giving is deeply personal, motivated less by tax considerations and more by values and a connection to a cause or organization. While tax benefits are rarely the primary reason people give, understanding how charitable contributions may affect your taxes remains important. 

Tax benefit for charitable giving 

Generally, a tax benefit for charitable giving was only available to taxpayers who itemized their deductions. In 2017, with the passing of the Tax Cuts and Jobs Act, the standard deduction was increased and the state and local tax (SALT) deduction was capped at $10,000. These changes made it more beneficial for some taxpayers to shift from itemizing their deductions to taking the standard deduction. This shift essentially removed the federal tax benefit for charitable giving for such taxpayers. For some, this put charitable giving on the sidelines, either by reducing giving, not giving to qualified public charities, or simply not keeping track of their giving. 

2026 charitable tax benefit with standard deduction 

Beginning in 2026, a permanent change expands the charitable tax benefit to taxpayers who take the standard deduction. Under the One Big Beautiful Bill Act, non-itemizers may now claim an above-the-line charitable deduction up to $2,000 for married taxpayers filing jointly (or $1,000 for single filers).  

To qualify to take this deduction, a few requirements must be met: 

• The donation must be cash 
• The donation must be made to a qualified public charity 
• The donation cannot be a contribution to a donor-advised fund 

Some important reminders: 

• Documentation is a must. Acknowledgment letters are a good form of documentation. 
• Verify the organization you are donating to is a qualified public charity. One common mistake some taxpayers make is assuming online crowdfunding fundraisers are qualified public charities.   
• Remember to provide your charitable giving information to your tax professional.   

Admittedly, the change is modest, not transformational, but it does broaden the number of taxpayers who benefit from donating to charity. It is important to keep in mind that each individual taxpayer’s situation is unique. State tax implications must also be considered, as not all states follow federal tax law.  

BerryDunn can help 

Our seasoned tax professionals partner with you to offer practical, accessible guidance and to develop a detailed strategy that supports your unique needs. We excel at tax strategy and solutions, placing an emphasis on building long-term relationships. Our deep expertise spans a full range of tax concerns, tax services, and consulting to support individuals, businesses, and nonprofit organizations. Our consultants are specialists in their industry, working closely with their colleagues across the firm to deliver integrated, comprehensive solutions. Learn more about our team and services.

Read this if you are a chief financial officer or controller at a community bank.

On April 23, 2026, the federal banking agencies—the Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation—issued a final rule revising the Community Bank Leverage Ratio (CBLR) framework. The changes are intended to encourage broader adoption of the CBLR framework while maintaining strong capital standards for qualifying community banks.

What are the key changes under the final rule? 

Lower CBLR requirement 

• Threshold lowered from 9% to 8% 
• Likely increase in community banks that qualify for the simplified CBLR framework rather than the more complex risk‑based capital rules

Expanded grace period 

• Grace period for banks that temporarily fall out of compliance with the CBLR qualifying criteria extended from two quarters to four quarters, provided the bank maintains a leverage ratio above 7% 
• Institutions may remain in the CBLR framework while reestablishing compliance or transitioning back to the risk‑based capital framework

Limits on repeated grace period use 

• Grace period use is limited to no more than eight quarters during the prior five-year (20‑quarter) period to preserve safety and soundness 
• Institutions exceeding the threshold must immediately comply with risk‑based capital requirements if they again fall out of CBLR compliance

The final rule is effective July 1, 2026.

Why does this matter for community banks?  

Regulators expect these changes to reduce regulatory burden, provide banks with additional balance sheet flexibility, and increase capacity for community lending—while keeping capital levels consistent with well‑capitalized standards. For banks currently near the prior 9% threshold or concerned about short‑term capital volatility, the revised framework may make the CBLR a more practical and sustainable option. 

Key takeaways

• Broader CBLR adoption: The lower qualifying threshold means more community banks can opt into the simplified CBLR framework. 

• Grace period expansion: Banks have a longer runway to recover from temporary shortfalls without needing to revert to the risk-based capital framework. 

• Grace period restrictions: Limitations have been added to avoid reliance on grace period use. 

• Compliance relief: The changes are meant to ease compliance burden while facilitating consistent capital levels.  

BerryDunn can help

Our dedicated audit, tax, and consulting professionals understand the financial services industry and its challenges and are committed to helping you meet and exceed regulatory requirements. We partner with you to bring tailored approaches to fit your needs and operations and provide guidance on best practices and recommendations that make sense for you. Learn more about our services and team.