HIPAA and the Sunshine Act Explained: What They Are, How They Differ, and How to Stay Compliant

HIPAA Overview

HIPAA is a U.S. federal law enacted to protect the privacy and security of individuals’ health information and to standardize certain administrative transactions. It establishes national standards for how you create, use, disclose, and safeguard Protected Health Information (PHI) across paper, verbal, and Electronic Health Records (EHR).

Who is covered

• Covered Entities: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in standard transactions.
• Business Associates: vendors and partners that handle PHI on behalf of Covered Entities (for example, billing services, cloud hosting, and data analytics firms).

What counts as PHI

PHI is any individually identifiable health information tied to a person (for example, name, address, dates, medical record numbers, device identifiers) that relates to health status, care, or payment. De-identified data that meets HIPAA’s safe harbor or expert-determination standard is not PHI.

How HIPAA is enforced

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA. HIPAA sets a federal “floor,” meaning more stringent state privacy laws can still apply, so you must evaluate both federal and state requirements within your Healthcare Compliance Programs.

HIPAA Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed and grants individuals specific rights. It applies to PHI in all forms and requires policies, procedures, and workforce training tailored to your operations.

Core principles

• Minimum necessary: limit PHI uses and disclosures to the least amount needed to accomplish the purpose.
• Permitted uses and disclosures: treatment, payment, and healthcare operations (TPO) without patient authorization; other uses require valid authorization.
• Notice of Privacy Practices: inform patients how you use PHI and their rights.

Individual rights

• Access and copies of PHI, including EHR, in the requested format if readily producible.
• Amendment of records when appropriate.
• Restrictions and confidential communications, plus an accounting of certain disclosures.

De-identification and special limits

Use de-identification to remove direct identifiers when feasible. Marketing, sale of PHI, and many research or fundraising activities require additional safeguards or specific authorization under the Privacy Rule.

HIPAA Security Rule

The Security Rule covers electronic PHI (ePHI) and requires you to implement administrative, physical, and technical safeguards. The goal is to ensure confidentiality, integrity, and availability of ePHI in EHR and related systems.

Administrative safeguards

• Risk analysis and risk management to identify threats and implement controls.
• Assigned security responsibility, workforce training, and sanction policies.
• Contingency planning, backups, and disaster recovery testing.

Physical safeguards

• Facility access controls and device/media controls (for example, secure disposal and re-use processes).
• Workstation security, including screen privacy and secure remote work practices.

Technical safeguards

• Access controls and unique user IDs; strong authentication and timely deprovisioning.
• Audit controls and activity monitoring for Electronic Health Records (EHR), email, and connected systems.
• Integrity and transmission security; encryption is a best practice for data at rest and in transit.

Physician Payments Sunshine Act

The Physician Payments Sunshine Act created the nationwide Open Payments program to advance Financial Transparency Reporting. It requires applicable manufacturers and group purchasing organizations to report certain payments or transfers of value to covered recipients so patients can see potential financial relationships.

Who must report and who is reported on

• Reporting entities: applicable manufacturers of drugs, devices, biologicals, and medical supplies, and applicable group purchasing organizations.
• Covered recipients: physicians and teaching hospitals, with reporting expanded to include certain advanced practice clinicians (for example, physician assistants and nurse practitioners).

What gets reported

• General payments (for example, meals, travel, speaking fees), research payments, and ownership or investment interests.
• Key data elements: recipient name and NPI, date, amount, form (cash/in-kind), nature (consulting, education, royalty), and related product information.

Purpose

The law aims to surface potential conflicts of interest so institutions and patients can better evaluate clinical and research relationships. Data are submitted to the Centers for Medicare & Medicaid Services (CMS) and published annually in a public database.

Reporting Requirements under the Sunshine Act

You collect data on a calendar-year basis and submit annually to CMS, followed by a review-and-dispute period where covered recipients can contest inaccuracies before publication. Authorized officials must attest to completeness and accuracy.

Data collection and controls

• Centralize event tracking for transfers of value (for example, speaker programs, advisory boards, research support).
• Map general ledger, T&E systems, grants, and CRO payments to Open Payments categories.
• Capture all required fields at the source to minimize rework and errors.

Exclusions, thresholds, and timing

• Certain items are excluded (for example, product samples intended for patient use, short-term device loans, and patient education materials that directly benefit patients).
• De minimis thresholds apply, and CMS adjusts monetary thresholds for inflation.
• Maintain supporting documentation to respond to CMS inquiries and recipient disputes.

Key Differences Between HIPAA and the Sunshine Act

• Purpose: HIPAA protects patient privacy and security; the Sunshine Act promotes Financial Transparency Reporting about industry payments to clinicians and institutions.
• Data subject: HIPAA concerns patients and PHI; the Sunshine Act concerns financial data about Covered Recipients, not patient information.
• Who must comply: HIPAA applies to Covered Entities and their Business Associates; the Sunshine Act applies to applicable manufacturers and group purchasing organizations.
• Regulator: HIPAA is enforced by HHS OCR; the Sunshine Act is administered by CMS through Open Payments.
• Risks and penalties: HIPAA violations can trigger tiered civil and criminal penalties; Sunshine Act violations lead to civil monetary penalties, with higher amounts for knowing failures.
• Operational focus: HIPAA centers on PHI governance and EHR security; the Sunshine Act centers on payment tracking, Conflict of Interest Disclosure, and public reporting accuracy.

Compliance Strategies for HIPAA and the Sunshine Act

Build an integrated Healthcare Compliance Program

• Establish governance: designate a Privacy Officer, Security Officer, and an Open Payments reporting lead with clear escalation paths.
• Document policies and procedures covering HIPAA Privacy and Security Rules, COI, Sunshine reporting, and incident management.
• Perform enterprise risk assessments annually, including EHR security, vendor risk, and payment-reporting controls.

Strengthen privacy and security operations

• Apply the minimum-necessary standard, role-based access, and routine auditing of PHI use.
• Harden technical controls: encryption, multi-factor authentication, endpoint protection, secure messaging, and robust audit logs.
• Manage Business Associates with written agreements, due diligence, and performance monitoring.

Elevate Sunshine Act reporting quality

• Create a single source of truth for all transfers of value; align finance, medical affairs, and research operations.
• Validate recipient identifiers (NPI, specialty, teaching hospital status) before submission; reconcile disputes quickly during the review window.
• Train field teams on what is reportable vs. excluded and on proper documentation at the point of activity.

Monitoring, response, and documentation

• Conduct periodic internal audits for HIPAA and Open Payments, track findings to closure, and report to leadership.
• Test incident and breach response plans; practice tabletop exercises spanning privacy incidents and reporting errors.
• Retain records in line with federal and state requirements to evidence compliance decisions and submissions.

Conclusion

HIPAA and the Sunshine Act work in parallel: one protects patient privacy and EHR security, the other advances transparency around industry relationships. By integrating privacy, security, and financial transparency into your Healthcare Compliance Programs, you reduce risk, build trust, and meet both OCR and CMS expectations.

FAQs.

What types of information does HIPAA protect?

HIPAA protects PHI—individually identifiable health information related to a person’s health, care, or payment. PHI spans paper, verbal, and electronic formats and includes identifiers like names, addresses, dates, medical record numbers, and device or account identifiers. Properly de-identified data is not PHI.

How does the Sunshine Act promote financial transparency?

It requires applicable manufacturers and group purchasing organizations to report payments and transfers of value to physicians, certain advanced practice clinicians, and teaching hospitals. CMS publishes these data annually so patients and institutions can see potential conflicts and make informed decisions.

Who must comply with the HIPAA regulations?

Covered Entities—health plans, healthcare clearinghouses, and providers that conduct standard electronic transactions—must comply, as do their Business Associates that create, receive, maintain, or transmit PHI on their behalf. Both must implement required safeguards and follow HIPAA’s Privacy and Security Rules.

What are the penalties for non-compliance with the Sunshine Act?

Non-compliance can result in civil monetary penalties assessed per violation, with higher amounts for knowing failures to report. CMS also requires correction of inaccurate or incomplete data and may audit supporting documentation, so strong controls and accurate submissions are essential.