HIPAA Compliance Checklist for Surrogacy Agencies

HIPAA Role Determination

You first need to determine your HIPAA status. Most surrogacy agencies are not covered entities because they do not provide healthcare services or process HIPAA standard transactions. However, you often qualify as a business associate when a fertility clinic, lab, or insurer asks you to create, receive, maintain, or transmit Protected Health Information (PHI) on its behalf.

Map every workflow that touches medical details. Document who sends you PHI, what you do with it, where it is stored, and which third parties receive it. If PHI flows from or to a covered entity for case coordination, screening, or billing support, you must operate under a Business Associate Agreement (BAA). If you engage subcontractors to handle PHI, they must sign BAAs as well.

Minimize data whenever possible. If a task can be completed with de-identified information or with a coded ID, use that approach. Validate your practices against State Surrogacy Regulations, which may add stricter privacy or recordkeeping requirements beyond HIPAA.

• Decide: covered entity, business associate, or neither (document the rationale).
• Inventory PHI sources, systems, and disclosures (data map).
• Execute BAAs before any PHI flows; extend BAAs to subcontractors.
• Adopt the minimum necessary standard for all internal uses and external disclosures.

Definition of PHI

Protected Health Information is individually identifiable health information that relates to a person’s health status, provision of care, or payment for care. It includes any detail that can identify the individual—alone or when combined with other data—such as name, address, dates, phone, email, photos, ID numbers, and similar identifiers.

In surrogacy, common PHI includes medical and psychological screening results, fertility and genetic testing, embryo transfer records, prenatal visit summaries, pregnancy test outcomes, ultrasound reports, immunization status, and insurance or billing details tied to the surrogate or intended parent.

De-identified data is not PHI. If you must share limited data sets for analytics (removing direct identifiers but retaining elements like dates or ZIP codes), use a Data Use Agreement and apply strict controls to prevent re-identification.

• Treat mixed files (medical plus personal details) as PHI.
• Redact nonessential identifiers before sharing summaries.
• Keep genetic or mental health information under tighter controls due to heightened sensitivity and possible state-specific rules.

Privacy Officer Appointment

Designate a Privacy Officer to build, oversee, and continuously improve your HIPAA program. In a small agency, one person may serve as both Privacy and Security Officer, but the role must be explicit and resourced. Publish how staff and clients can contact this person with questions or complaints.

Privacy Officer Responsibilities include drafting and updating policies, leading risk analyses, coordinating training, reviewing access rights, managing Business Associate Agreements, and supervising Breach Notification Procedures. The officer should also monitor regulatory changes, including State Surrogacy Regulations that affect consent, records, or disclosures.

• Create a charter describing the officer’s authority and reporting line.
• Establish metrics: training completion rates, access review cadence, incident response times.
• Run periodic tabletop exercises to test privacy and security incident readiness.
• Maintain documentation: policies, risk assessments, vendor due diligence, and decisions.

Data Security Measures

Protect PHI with layered technical and administrative safeguards. Start with Role-Based Access Controls to enforce least privilege so employees see only what their duties require. Pair this with strong authentication, time-bound access, and prompt offboarding.

• Access and identity: multifactor authentication, single sign-on where feasible, quarterly access reviews, immediate revocation upon role change or departure.
• Data Encryption Standards: encrypt data in transit (TLS 1.2+) and at rest (e.g., AES‑256); manage keys securely; enforce full-disk encryption on laptops and mobile devices.
• Endpoint and network: automatic patching, endpoint detection and response, secure configurations, and restricted admin rights; separate environments for testing and production.
• Data handling: approved secure portals for file exchange, email encryption for PHI, prohibited use of personal email or consumer messaging for PHI, and verified recipient procedures.
• Audit and logging: maintain detailed logs of access, changes, and exports; alert on anomalies; retain logs long enough to support investigations.
• Vendor risk: evaluate cloud platforms and apps; sign BAAs; verify controls and certifications; limit integrations to what is necessary.
• Backups and retention: encrypt backups, test restores, and implement a retention schedule aligned with business needs and State Surrogacy Regulations.
• Secure disposal: sanitize drives, shred paper, and verify destruction certificates from vendors.
• Incident response and Breach Notification Procedures: define detection, triage, containment, investigation, notification, and post-incident review steps; rehearse at least annually.

Consent and Authorization

HIPAA generally permits a business associate to use and disclose PHI only as allowed by its BAA and the covered entity’s instructions. Disclosures not permitted by HIPAA or the BAA require a valid, written HIPAA authorization from the individual. Do not rely on generic intake forms; use clear, purpose-specific authorizations.

Authorizations should identify the information to be disclosed, the purpose, the recipient, expiration date or event, the individual’s right to revoke, and the potential for redisclosure. Use plain language and separate authorizations for distinct purposes (for example, sharing medical screening results with intended parents versus with an attorney or insurer).

When collaborating with clinics, apply the minimum necessary rule for administrative tasks. For particularly sensitive categories—like genetic testing or mental health records—check State Surrogacy Regulations for additional consent or segregation requirements before any disclosure.

• Collect only what you need for screening, matching, and coordination.
• Redact details that are irrelevant to matching decisions.
• Track authorization expirations and honor revocations promptly.

Confidentiality and Fairness

Surrogacy involves multiple stakeholders with legitimate interests. Your confidentiality practices must protect each person’s dignity while ensuring fair and transparent processes. Share PHI strictly on a need-to-know basis and avoid revealing sensitive details that are immaterial to decision-making.

Use standardized, purpose-built summaries for matching that exclude extraneous identifiers. Apply consistent criteria when communicating medical disqualifications, and avoid discriminatory practices. Provide equal clarity to surrogates and intended parents about what information will be shared, when, with whom, and why.

• Separate clinical details from suitability summaries; disclose only what affects safety or suitability.
• Explain decisions without exposing unrelated PHI.
• Document who received what information and under which authority (BAA or authorization).
• Offer secure channels for questions and corrections to maintain trust and accuracy.

Training and Policies

A written policy framework is the backbone of your HIPAA compliance checklist. Maintain version-controlled policies for privacy, security, access control, incident response, Breach Notification Procedures, device and email use, remote work, records retention, sanctions, and complaint handling. Keep a master index so staff can find the right document quickly.

Provide role-specific training at hire and at least annually. Include practical exercises on recognizing PHI, using approved systems, handling authorizations, reporting incidents, and applying Role-Based Access Controls. Track completion, test comprehension, and retrain after policy updates or incidents.

• Conduct a security risk analysis and remediate findings on a defined schedule.
• Review BAAs yearly and after any service changes; verify vendors still meet your Data Encryption Standards.
• Run periodic audits of access logs, data sharing events, and authorization files.
• Maintain a living data map that reflects new programs, integrations, and State Surrogacy Regulations.

Bottom line: know your role, define PHI precisely, empower a skilled Privacy Officer, harden your systems, use tailored authorizations, uphold confidentiality and fairness, and reinforce everything with training and clear policies. This discipline turns compliance into a dependable, trust-building practice.

FAQs

What PHI must surrogacy agencies protect under HIPAA?

You must protect any individually identifiable health information you handle for a covered entity or receive under a BAA. In surrogacy, that commonly includes medical and psychological screening results, lab and genetic tests, embryo transfer and pregnancy records, appointment notes, and insurance or billing data tied to a person. Treat mixed files as PHI and remove nonessential identifiers before sharing summaries.

How should surrogacy agencies handle business associate agreements?

Execute Business Associate Agreements before receiving or transmitting PHI for a covered entity. Each BAA should define permitted uses and disclosures, required safeguards, subcontractor obligations, Breach Notification Procedures, and return or destruction of PHI at the end of the engagement. Review BAAs annually and whenever services, systems, or vendors change.

What steps are required for breach notification?

Activate your incident response plan: contain, investigate, and assess risk to affected individuals. If a breach of unsecured PHI is confirmed, notify impacted individuals without unreasonable delay and no later than 60 days after discovery, include required content, and follow escalation to regulators and—when applicable—media. Document decisions, remediation, and preventive improvements.

How often should HIPAA compliance training be conducted?

Provide training at onboarding and at least annually for all workforce members with potential PHI access. Add role-based modules for staff who handle authorizations, case management, or IT administration. Deliver refresher training after policy changes, system rollouts, audits, or incidents, and keep attendance and assessment records.