HIPAA Compliance for Surrogacy Agencies: A Practical Guide and Checklist

HIPAA Role Determination for Surrogacy Agencies

Before you draft policies or buy software, confirm your HIPAA role. Most surrogacy agencies become business associates when they create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a clinic, lab, or health plan. Some agencies remain outside HIPAA if they never handle PHI; a few operate as covered entities if they directly deliver healthcare services.

Quick determination steps

• List services you perform for clinics or health plans (screening, scheduling, case management, billing support).
• Identify whether you touch PHI to provide those services; if yes, you are a business associate.
• If you deliver clinical care or bill insurers yourself, evaluate covered entity status or a hybrid arrangement.
• Map vendors that handle PHI for you (cloud storage, CRM, e-signature); they are subcontractor business associates.
• If you only use de-identified data, document the de-identification method and scope.

Common scenarios

• Pre-screening surrogates using medical history and lab results: business associate.
• Coordinating appointments with fertility clinics using ePHI: business associate.
• Operating an in-house nursing team that provides care: potential covered entity or hybrid.
• Marketing using fully de-identified case studies: generally outside HIPAA; verify that no identifiers remain.

Definition and Scope of Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information—past, present, or future—related to health, care delivery, or payment, in any medium. Electronic PHI (ePHI) includes emails, messages, portals, and files containing that data.

What counts as PHI in surrogacy programs

• Medical histories, lab results, genetic carrier screens, ultrasound images, medication protocols, and mental health evaluations.
• Identifiers such as names, contact details, full-face photos, precise addresses, dates tied to an individual, and account or record numbers.
• Payment details for medical services, insurance authorizations, and claims.

De-identified data and limited data sets

• De-identified data removes specified identifiers or is certified by an expert; it is not PHI.
• A Limited Data Set excludes direct identifiers but can include dates and city/ZIP; it requires a Data Use Agreement.
• Always document the basis for de-identification and limit re-identification risk.

Data Mapping and Business Associate Agreements

Data mapping shows where PHI enters, moves, is stored, and exits your organization. It anchors your safeguards, vendor oversight, and Business Associate Agreement (BAA) obligations.

Data mapping steps

• Inventory intake forms, emails, messaging apps, EHR/portal access, spreadsheets, and shared drives.
• Diagram PHI flows among surrogates, intended parents, clinics, labs, insurers, attorneys, and escrow services.
• Tag each step with owner, system, location, access roles, and retention period.
• Identify cross-border transfers and high-risk points (attachments, exports, mobile access).

Business Associate Agreement essentials

• Permitted and required uses/disclosures of PHI and the Minimum Necessary Standard.
• Safeguard obligations (Administrative Safeguards, Technical Safeguards, and physical controls).
• Incident reporting timelines, Breach Notification Rule duties, and cooperation requirements.
• Subcontractor flow-down, right to audit, access/amendment support, and accounting of disclosures.
• Return or destruction of PHI at termination and documentation retention.

Vendor due diligence

• Assess security certifications, encryption practices, uptime, and breach history.
• Validate data residency, backup, disaster recovery, and support for audit logs.
• Execute BAAs before sharing any PHI; verify subcontractor BAAs, too.

Implementing the Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed for the task. Build this into roles, workflows, and tools.

Operationalize “minimum necessary”

• Define role-based access so coordinators, finance staff, and leadership see only what they need.
• Segment files by case and function; avoid “all-staff” folders for medical documents.
• Use templates that mask extraneous data when sending case updates to non-clinical recipients.
• Prefer Limited Data Sets or de-identified summaries for routine status reports.

Practical examples

• Clinic scheduling: share only the appointment date/time and required prep, not full charts.
• Insurance verification: disclose member ID and relevant diagnosis/procedure codes, not therapy notes.
• Attorney coordination: provide the minimum medical facts needed for legal filings.

Key caveats

• Treatment disclosures by providers are generally exempt, but your internal uses and most disclosures still follow minimum necessary.
• Reasonable reliance applies when a provider specifies what they need; document such requests.

Consent and Authorization Procedures

HIPAA permits many TPO (treatment, payment, operations) uses without written permission, but disclosures outside TPO often require a HIPAA-compliant authorization. In surrogacy, disclosures to intended parents about a surrogate’s medical details typically require authorization unless routed through a provider’s TPO process.

When authorization is required

• Sharing a surrogate’s medical details with intended parents or their representatives.
• Marketing communications that use PHI or any sale of PHI.
• Psychotherapy notes and certain sensitive categories often need specific, heightened authorization.

Required elements of a valid authorization

• Specific description of information, purpose, recipients, and expiration date or event.
• Individual’s signature/date, right to revoke, and notice of potential re-disclosure.
• Separate forms for marketing/sale of PHI; keep copies on file.

How to operationalize

• Standardize e-signature workflows and store authorizations with the case file.
• Use versioned, role-specific templates (e.g., “update to intended parents” vs. “attorney packet”).
• Train staff to stop and obtain authorization when a disclosure falls outside TPO.

Privacy Protection and Information Sharing

Strong privacy protection blends policy with technology. Align your practices to the HIPAA Security Rule’s Administrative Safeguards and Technical Safeguards, plus robust physical controls and disciplined sharing protocols.

Administrative Safeguards

• Assign a privacy officer and a security officer; define authority and escalation paths.
• Conduct Risk Analysis and risk management; review at least annually or after major changes.
• Implement workforce clearance, onboarding/offboarding, and sanction policies.
• Adopt contingency plans: backups, disaster recovery, and emergency operations.

Technical Safeguards

• Encrypt ePHI at rest and in transit; enforce MFA for all PHI systems.
• Use unique IDs, strict access controls, automatic logoff, and audit logging.
• Harden endpoints with MDM, patching, anti-malware, and device encryption.
• Prefer secure messaging/portals over email; if emailing, use TLS and omit unnecessary details.

Physical safeguards and secure communications

• Restrict office access, lock file rooms, and maintain clean-desk practices.
• Control printing and scanning; redact or watermark when feasible.
• Verify recipient identity before disclosures; never use public social media for case updates.

Information sharing scenarios

• With clinics and labs: follow BAAs and clinic instructions; transmit via approved channels.
• With attorneys and insurers: share the minimum necessary, backed by valid authorizations.
• With intended parents: provide authorized, scoped updates; prefer de-identified status summaries when possible.

Training, Policies, and Risk Analysis

Policies define expectations; training builds habits; Risk Analysis identifies gaps. Together they operationalize HIPAA compliance for surrogacy agencies.

Foundational policies

• Privacy, security, and acceptable use; access management; device and remote work rules.
• Data classification, retention, disposal, and media re-use.
• Incident response and breach notification; sanctions and whistleblower protections.

Training program

• Provide onboarding and annual refreshers, plus role-specific modules for coordinators and leadership.
• Cover PHI handling, Minimum Necessary Standard, phishing, secure messaging, and authorization workflows.
• Track completion, comprehension checks, and remedial coaching; retain records.

Risk Analysis process

• Identify assets, data flows, threats, and vulnerabilities; rate likelihood and impact.
• Document current controls and residual risk; prioritize remediation with owners and deadlines.
• Reassess after system changes, incidents, or new partnerships.

Breach Notification and Incident Response

Not every security incident is a breach, but all incidents require prompt triage. If PHI is compromised, the Breach Notification Rule sets strict timelines and content requirements.

First 24 hours

• Contain: isolate affected accounts/devices, rotate credentials, preserve logs.
• Engage your incident team and key vendors; begin a forensic snapshot.
• Start an incident log capturing who, what, when, and actions taken.

Breach risk assessment

• Evaluate the nature/extent of PHI, the unauthorized person, whether PHI was acquired or viewed, and mitigation performed.
• Document rationale if you determine a low probability of compromise.

Breach Notification Rule basics

• Notify the covered entity without unreasonable delay and no later than 60 days from discovery (BAA may require shorter notice).
• For confirmed breaches affecting individuals, provide written notice without unreasonable delay and within 60 days of discovery.
• If 500+ residents of a state/jurisdiction are affected, notify HHS and prominent media; for fewer than 500, log and report to HHS annually.
• Notices should describe what happened, the PHI involved, protective steps individuals can take, your mitigation, and contact points.
• Coordinate law enforcement delays when applicable, and maintain all documentation.

Post-incident hardening

• Close root causes, enhance monitoring, and retrain staff on lessons learned.
• Update Risk Analysis and policies, and verify effectiveness with testing.

Compliance Documentation and Recordkeeping

What to keep

• Policies, procedures, Risk Analysis and remediation plans, and configuration baselines.
• BAAs and Data Use Agreements; vendor assessments and audit results.
• Training content, attendance, test results, and sanctions.
• Access reviews, audit logs, incident and breach files, and authorization forms.

Retention and destruction

• Retain required HIPAA documentation for at least six years from creation or last effective date.
• Follow BAAs and internal schedules for PHI retention; keep only what you need, then securely destroy.
• Maintain certificates of destruction for media and files.

Auditing and continuous improvement

• Use periodic internal audits to test Minimum Necessary controls, access rights, and disclosure logs.
• Track corrective actions to closure and verify with evidence.
• Review your data map and vendor list at least annually.

Conclusion

HIPAA compliance for surrogacy agencies hinges on clear role determination, disciplined PHI handling, strong safeguards, documented authorizations, trained staff, and a tested incident plan. Build these into daily operations, document consistently, and revisit your Risk Analysis as services and partners evolve.

FAQs.

What determines if a surrogacy agency is a HIPAA business associate?

You are a business associate if you create, receive, maintain, or transmit PHI to perform services for a covered entity (such as a fertility clinic, lab, or health plan). Common triggers include medical pre-screening, appointment coordination using ePHI, insurance support, or storing clinical documents for clinics. If you deliver healthcare directly, you may be a covered entity; if you never handle PHI, HIPAA may not apply, though privacy best practices still should.

How should agencies handle and share PHI to remain compliant?

Apply the Minimum Necessary Standard with role-based access; use secure systems with encryption and MFA; share PHI through approved channels per BAAs; and document authorizations for disclosures outside TPO. Prefer de-identified summaries or Limited Data Sets when practical, verify recipient identity, and log significant disclosures.

What training is required for surrogacy agency staff on HIPAA?

Provide onboarding and annual training covering PHI handling, Minimum Necessary Standard, secure communications, incident reporting, and authorization workflows. Include role-specific modules for coordinators and leaders, run phishing simulations, test comprehension, and retain training records as part of your compliance documentation.

When must a surrogacy agency notify individuals of a data breach?

After assessing an incident and determining a breach of unsecured PHI, provide written notice without unreasonable delay and no later than 60 days from discovery. As a business associate, you must also notify the covered entity promptly (often sooner per your BAA). Large breaches affecting 500+ residents require additional notifications to HHS and media; smaller breaches are logged and reported to HHS annually.