HIPAA Policies for Organ Procurement Organizations (OPOs): Requirements and Best Practices

HIPAA Applicability to OPOs

How OPOs fit under HIPAA

Under HIPAA, covered entities are health plans, health care clearinghouses, and providers that conduct standard electronic transactions. Most Organ Procurement Organizations do not perform these covered functions. Instead, you typically receive Protected Health Information (PHI) from hospitals for the sole purpose of facilitating organ, eye, and tissue donation and transplantation.

When an OPO is a business associate

An OPO can become a business associate when it performs services for a covered entity that involve PHI beyond donation facilitation (for example, quality analytics for the hospital unrelated to procurement, or operating hospital systems on the hospital’s behalf). In those cases, you must execute Business Associate Agreements (BAA) and meet all business associate obligations.

Practical steps

• Document the legal basis for each data flow (permitted recipient vs. business associate).
• Map when your roles change across programs, facilities, and systems.
• Adopt HIPAA-aligned policies even when not strictly required, because stakeholders will expect equivalent protections.

Permitted Uses and Disclosures of PHI

Disclosures that are allowed without authorization

Hospitals may disclose PHI to OPOs, and OPOs may use that PHI, to evaluate donor suitability, identify potential recipients, and coordinate transplantation activities—without the individual’s authorization. This permission includes information about deceased individuals when it is necessary to support donation and transplantation.

Typical information shared for donation and transplantation

• Demographics, relevant medical history, and current/last known clinical status.
• Laboratory values (including serologies), imaging reports, and HLA typing results.
• Operative notes, hemodynamic data, and other data required by transplant centers and histocompatibility laboratories.

Disclosures that require additional safeguards

Uses unrelated to donation—such as research, marketing, or general fundraising—generally require a separate HIPAA pathway (e.g., individual authorization, a limited data set with a data use agreement, or another specific permission). Always verify recipient identity, transmit PHI securely, and record the basis for each disclosure.

Minimum Necessary Standard

Design for data minimization

The Minimum Necessary Standard requires you to limit PHI to what is reasonably needed for the task. Build role-based access so coordinators, medical directors, labs, and logistics teams see only the information they need to perform donation-related duties.

Operational controls that work

• Create predefined “data bundles” for common tasks (e.g., initial referral review, donor risk assessment, recipient matching) to standardize what is shared.
• Use structured request forms and checklists that justify each data element requested from hospitals.
• Redact extraneous content when full documents are unnecessary; share summaries when feasible.
• When full identifiers aren’t needed, consider de-identification or a limited data set supported by a data use agreement.
• Audit access and disclosures, and use dashboard metrics to trend outliers for corrective action.

Security Rule Requirements

When they apply—and why you should align regardless

If your OPO acts as a business associate, the HIPAA Security Rule applies to your electronic PHI (ePHI). Even when you are a permitted recipient rather than a business associate, aligning to the Security Rule is a best practice that protects donors, recipients, and institutional partners.

Conduct a Security Risk Assessment

Perform a comprehensive Security Risk Assessment to identify threats, vulnerabilities, and the likelihood and impact of harm. Maintain a living risk management plan that prioritizes remediation, assigns owners, and tracks milestones.

Administrative Safeguards

• Governance: designate security and privacy leads, define policies, and review them regularly.
• Workforce security: background checks, onboarding/offboarding controls, and sanction policies.
• Training: role-specific security awareness and phishing resilience for all workforce members.
• Access management: least privilege, timely entitlement reviews, and strong authentication (MFA).
• Incident response: triage playbooks, escalation paths, and breach notification procedures.

Physical Safeguards

• Facility access controls, visitor management, and secure server/network rooms.
• Workstation security for offices, recovery sites, and mobile environments.
• Device and media controls, including encryption, chain-of-custody, and secure disposal.

Technical Safeguards

• Access controls: unique IDs, session timeouts, and emergency access procedures.
• Audit controls and centralized logging with alerting for anomalous activity.
• Integrity controls and anti-malware/EDR to prevent unauthorized alteration of ePHI.
• Transmission security: encryption in transit and at rest; secure APIs and VPNs.
• Vendor oversight: require equivalent protections and Business Associate Agreements (BAA) for subcontractors that handle PHI.

Business Associate Agreements

When a BAA is required

Execute a BAA when your OPO provides services to a covered entity that involve PHI beyond your role as a permitted recipient for donation and transplantation. Avoid unnecessary BAAs for activities that are strictly donation facilitation, but be prepared to document the rationale either way.

What to include in the BAA

• Permitted and prohibited uses/disclosures aligned with the Minimum Necessary Standard.
• Administrative, Physical, and Technical Safeguards, plus ongoing Security Risk Assessment.
• Breach and security incident reporting timelines, cooperation duties, and documentation.
• Subcontractor flow-down requirements and the right to audit or receive attestations.
• Procedures for access, amendments, accounting of disclosures, and return or destruction of PHI at termination.
• Allocation of responsibilities for regulatory inquiries and preservation of records.

Emergency Preparedness

Build and maintain an Emergency Preparedness Plan

OPO operations are time-critical. Your Emergency Preparedness Plan should ensure continuity of donation and transplantation even during disasters or cyber incidents. Define command structure, authorities, and decision thresholds for activating emergency mode operations.

Core continuity and recovery capabilities

• Contingency planning: data backup, disaster recovery, emergency mode procedures, and application/data criticality analysis.
• Redundancy: alternate communication channels, power, and sites; downtime forms and workflows.
• Cyber resilience: immutable/offline backups, rapid isolation steps, and vendor engagement playbooks.
• 24/7 rosters: up-to-date contacts for hospitals, transplant centers, labs, transport, and leadership.
• Exercises: regular tabletop drills and after-action reviews with corrective action tracking.

Privacy during emergencies

Emergencies do not suspend core privacy protections. Share only what is needed to protect patients and sustain transplant logistics, secure transmissions, and continue documenting the legal basis for each disclosure throughout the event and recovery period.

Conclusion

For OPOs, strong HIPAA practices center on clear role definition, disciplined data minimization, rigorous security, and tested continuity planning. By tailoring policies to your functions, executing BAAs where appropriate, and sustaining an enterprise-grade security and Emergency Preparedness Plan, you safeguard PHI while enabling life-saving donation and transplantation.

FAQs

Are OPOs considered HIPAA-covered entities?

Generally, no. Most OPOs are not covered entities because they do not conduct HIPAA-covered transactions. You typically receive PHI as a permitted recipient for donation and transplantation. However, you may be a business associate when performing services involving PHI on behalf of a covered entity.

What are the permitted disclosures of PHI to OPOs?

Hospitals may disclose PHI to OPOs, and OPOs may use that PHI, to evaluate donor suitability, identify recipients, and coordinate transplantation without an authorization. Share only what is reasonably necessary, verify recipients, and secure all transmissions.

How should OPOs implement the minimum necessary standard?

Use role-based access, standardized data bundles for common tasks, and structured request forms. Redact unneeded details, apply de-identification or limited data sets when feasible, and audit requests and disclosures to confirm they align with operational need.

What emergency preparedness measures must OPOs have?

Maintain a comprehensive Emergency Preparedness Plan that includes contingency planning (backup, disaster recovery, emergency mode), redundant communications and power, cyber incident response, updated contact rosters, and regular exercises with documented improvements.