Surrogacy and HIPAA Compliance: What Clinics and Agencies Need to Know

Surrogacy and HIPAA compliance intersect anywhere clinical care, matching, and case management meet. To protect trust—and avoid penalties—you need clear roles, tight controls over Protected Health Information, and disciplined Privacy Rule Compliance. This guide explains how clinics and agencies can structure responsibilities, implement Security Rule Safeguards, and operationalize Business Associate Agreements while honoring State Privacy Laws and Sensitive Health Information Handling.

HIPAA Role Determination in Surrogacy

Begin by defining your role. Fertility clinics, obstetric practices, labs, and telehealth providers are typically covered entities (CEs). Surrogacy agencies, attorneys, intended parents, and insurers are generally not CEs; however, agencies frequently become business associates (BAs) when they handle PHI on a CE’s behalf. Correct role determination drives which HIPAA rules apply and how your contracts and workflows must be designed.

Who is usually covered—and when

• Clinics and laboratories: Covered entities that create and maintain PHI for diagnosis and treatment.
• Surrogacy agencies: Often BAs if they receive, maintain, or transmit PHI to coordinate care, scheduling, or claims on behalf of a CE.
• Attorneys and intended parents: Not CEs; typically not BAs unless their services for a CE require access to PHI.
• Insurance brokers/TPAs and technology vendors: Commonly BAs when services involve PHI for a CE.

Practical BA trigger test

You are a BA if you create, receive, maintain, or transmit PHI for or on behalf of a CE to perform services like case management, coordination, quality assurance, billing, or data processing. Examples include storing surrogate medical records for a clinic, confirming screening results, or scheduling with PHI attached. Activities that use only de-identified data or that are solely for intended parents, without acting for a CE, generally do not trigger BA status.

Task-based quick check

• Coordinating appointments using lab results or histories from a clinic: BA activity.
• Managing travel logistics without PHI (names plus itinerary only): Non-BA activity.
• Collecting medical forms for clinic review and keeping copies: BA activity.
• Marketing using aggregate, de-identified statistics: Non-BA activity.

Definition and Scope of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information relating to a person’s health status, care, or payment that identifies the individual or can reasonably do so. In surrogacy, PHI spans screening questionnaires, lab results, genetic testing, mental health evaluations, ultrasound images, medication logs, and insurance claims.

Common PHI elements in surrogacy

• Identifiers: Names, addresses, dates, phone numbers, emails, SSNs, MRNs, device identifiers, and full-face photos.
• Clinical content: Fertility histories, infectious disease testing, imaging, progress notes, medication protocols, prenatal records.
• Financial/administrative: Insurance details, explanations of benefits, payment data linked to an individual.

De-identification boundaries

Data qualify as de-identified when all specified identifiers are removed (safe harbor) or an expert determines re-identification risk is very small. Be cautious with rare diagnoses, small geographic areas, exact dates, or unique embryo/donor codes that can inadvertently re-identify someone. If a data set could re-identify a surrogate or donor when combined with other data you hold, treat it as PHI.

PHI vs. state personal information

Even when information is not PHI, it may still be regulated personal or sensitive data under State Privacy Laws. Maintain a unified inventory that flags whether a data element is PHI, consumer health data, biometric, genetic, or another protected category.

Core HIPAA Obligations for Agencies

As a BA, your obligations include implementing Security Rule Safeguards, limiting uses and disclosures to what the Business Associate Agreements permit, honoring the minimum necessary standard, and meeting Breach Notification Requirements. You must train your workforce, conduct a risk analysis, apply sanctions for violations, and flow down protections to subcontractors.

When an agency is not a BA

If you never handle PHI for a CE, HIPAA may not apply directly. Still, align with core controls because you likely manage sensitive health and legal information under contracts and State Privacy Laws. Adopting HIPAA-level safeguards creates a consistent baseline across cases and jurisdictions.

If an agency operates a clinical service

Agencies that deliver healthcare (for example, in-house screening by licensed clinicians with standard electronic transactions) may themselves be covered entities. In that case, you must publish a Notice of Privacy Practices, implement Privacy Rule procedures for access, amendment, and accounting, and designate privacy and security officers.

Practical workflow standards

• Apply the minimum necessary rule to all PHI exchanges with intended parents, attorneys, and insurers.
• Use standardized authorization forms for non-routine disclosures; verify identity before releasing PHI.
• Separate clinical, legal, and financial records; restrict cross-access.
• Define retention periods and destruction methods aligned to legal and contractual requirements.
• Document a cross-border transfer protocol for international intended parents or clinics.

Data Security Measures for PHI Protection

Security Rule Safeguards span administrative, physical, and technical layers. Your program should be risk-based, documented, and tested. Map data flows end to end, then select controls that mitigate your highest risks without impeding care coordination.

Administrative safeguards

• Risk analysis and risk management plan with prioritized remediation.
• Policies for access, acceptable use, incident response, and sanctions.
• Security and privacy training on onboarding and annually, plus phishing simulations.
• Vendor risk management and due diligence before granting PHI access.
• Contingency planning: backups, disaster recovery, and tested restoration.

Technical safeguards

• Encryption in transit and at rest; avoid SMS or consumer messaging for PHI.
• Multi-factor authentication, unique IDs, role-based access, and least privilege.
• Audit logs for access, changes, downloads, and disclosures; active review.
• Endpoint protection, MDM for BYOD, automatic patching, and remote wipe.
• DLP and secure portals for file exchange; email encryption with secure message pickup.
• Regular vulnerability scanning and third-party penetration testing.

Physical safeguards

• Locked storage, clean-desk rules, visitor logs, and device cable locks.
• Screen privacy filters; secure disposal via shredding or certified destruction.
• Environmental controls for server/network rooms and inventory of media.

High-risk scenarios and mitigations

• Remote work: Enforce VPN, encrypted laptops, and no-home-printer PHI rules.
• Travel: Use privacy screens; disable Wi‑Fi auto-connect; avoid discussing cases in public.
• Video meetings: Use platforms with BAAs; disable recordings unless authorized and necessary.
• Third-country transfers: Apply transfer assessments and pseudonymization where possible.

Business Associate Agreements Requirements

Use Business Associate Agreements whenever a vendor or agency handles PHI for a CE. The BAA should define the permitted uses and disclosures, require appropriate safeguards, and set Breach Notification Requirements and timelines. It must also obligate subcontractors to the same protections and address return or destruction of PHI at termination.

Essential BAA elements

• Purpose and permitted PHI uses/disclosures; prohibition on unauthorized marketing or sale of PHI.
• Security Rule compliance, including risk management and workforce training.
• Breach, security incident, and improper disclosure reporting with prompt notice.
• Assistance with access, amendment, and accounting of disclosures when the CE must respond.
• Flow-down clauses requiring subcontractor BAAs; right to audit or obtain attestations.
• Termination, return, or certified destruction of PHI; retention exceptions narrowly defined.
• Government access clause acknowledging potential HHS review.

Negotiation and governance tips

• Map data flows before signing to ensure the “permitted uses” reflect reality.
• Set reporting windows shorter than 60 days for suspected breaches (for example, 5 business days).
• Align cyber insurance, indemnities, and limits with transaction risk.
• Define audit evidence (policies, risk assessments, test results) you can produce on request.

Vendor inventory discipline

• Maintain a living register of systems touching PHI (EHRs, e-sign, CRM, file sharing, video, chat, couriers).
• Record whether each vendor is a BA, status of the BAA, data types, retention, and hosting location.
• Review access quarterly and remove dormant or mismatched permissions.

Compliance with State Surrogacy Regulations

Surrogacy frameworks and privacy protections vary widely by state. Some states have detailed statutes governing screening, compensation, and parentage orders; others rely on case law or restrict certain arrangements. These rules intersect with State Privacy Laws that protect health, genetic, and reproductive information, often beyond HIPAA’s scope.

Key intersections with privacy

• Consumer health privacy: Certain states treat reproductive and fertility data as sensitive, imposing consent, notice, or data minimization duties even outside HIPAA.
• Genetic and infectious disease data: Additional confidentiality and authorization requirements may apply.
• Minor-related rules, mandated reporting, and record retention: Deadlines and rights can differ by state.
• Cross-state cases: Choice-of-law and venue can dictate which disclosures and consents are valid.

Operational steps to stay aligned

• Create a state-by-state matrix covering surrogacy prerequisites, consent elements, and confidentiality rules.
• Localize forms: Adjust notices and authorizations to reflect applicable state definitions of sensitive data.
• Geofence practices that could expose location or clinic visits; limit precise geolocation collection.
• Coordinate with counsel on parentage orders to ensure disclosures are minimum necessary.

Ethical Standards and Informed Consent Procedures

Ethical practice in surrogacy demands transparency, respect for autonomy, confidentiality, and avoidance of conflicts of interest. Your procedures should empower surrogates and intended parents to make informed choices while ensuring Sensitive Health Information Handling remains disciplined and compassionate.

Building an ethical foundation

• Separate matching, financial interests, and medical decision-making to reduce undue pressure.
• Offer plain-language materials, adequate time for questions, and interpreter services when needed.
• Limit disclosures to the minimum necessary; share need-to-know updates rather than full records.

What informed consent should cover

• Specific PHI to be collected and why; who will receive it (clinics, intended parents, attorneys, insurers).
• How PHI will be shared (secure portal, encrypted email), retained, and ultimately destroyed.
• Rights to access, request corrections, and revoke authorizations, plus consequences of revocation.
• Risks of re-disclosure once PHI leaves a CE; when de-identified summaries can be used instead.
• Use of digital tools (apps, wearables, telehealth, video recordings) and opt-in choices.
• Handling of genetic testing results and psychological evaluations; separate authorizations if required.
• Cross-border transfers where intended parents or clinics are outside the United States.

Process controls

• Stage-based consent: pre-screening, clinical screening, matching, pregnancy management, and postpartum.
• Authorization tracking logs with version control and expiration dates.
• Regular audits to confirm disclosures match the consent on file.

Conclusion

Effective surrogacy and HIPAA compliance starts with role clarity, continues with rigorous Privacy Rule Compliance and Security Rule Safeguards, and is sustained through precise BAAs, state-law alignment, and ethical, informed consent. By operationalizing these principles, you protect people, enable collaboration, and keep every disclosure purposeful and lawful.

FAQs.

What makes a surrogacy agency a HIPAA business associate?

An agency is a business associate when it creates, receives, maintains, or transmits PHI for or on behalf of a covered entity to perform services such as case coordination, screening logistics, quality review, billing support, or data processing. If you simply work for intended parents without handling PHI for a clinic, or you use only de-identified information, BA status usually does not apply.

How should agencies secure PHI under HIPAA?

Implement Security Rule Safeguards: conduct a risk analysis; enforce least-privilege access, MFA, and encryption; log and review access; train staff; manage vendors via Business Associate Agreements; maintain incident response and tested backups; and use secure portals or encrypted email instead of consumer messaging. Apply the minimum necessary standard to every disclosure.

Are there additional state regulations beyond HIPAA for surrogacy?

Yes. State surrogacy statutes govern eligibility, screening, and court orders, while State Privacy Laws can treat reproductive, genetic, or consumer health data as sensitive, imposing extra consent, notice, or retention obligations even outside HIPAA. Always localize your forms and workflows to the state where services are delivered and court actions occur.

What must be included in surrogates' informed consent regarding PHI use?

Clearly describe what PHI will be collected, the purposes for collection, who will receive it, how it will be protected, retention and destruction timelines, rights to access and amend, how to revoke authorizations, the risks of re-disclosure, and choices about digital tools, genetic data, and cross-border sharing. Ensure the scope aligns with your BAAs and the minimum necessary standard.