According to the Health Resources and Services Administration (HRSA), organ procurement organizations are not regulated under HIPAA as covered entities or business associates.
HIPAA applies to two primary categories of organizations:
HIPAA’s Privacy and Security Rules govern how these entities may use, disclose, and safeguard PHI. However, not every organization that touches health information automatically falls into one of these categories.
In most cases, OPOs are not considered HIPAA-covered entities. As HRSA states, “Under HIPAA, Transplant Centers are Covered Entities but OPOs are NOT. This means that Transplant Centers are bound to comply with HIPAA but OPOs do not have the same legal requirements.” Therefore, while OPOs are deeply embedded in healthcare operations, they typically do not provide healthcare services, bill for care, or engage in electronic healthcare transactions that would qualify them as covered entities under HIPAA. Their primary function is coordination and facilitation of organ donation rather than diagnosis, treatment, or payment for healthcare services.
Under HIPAA, a business associate relationship exists when an organization performs services on behalf of a covered entity and uses PHI to do so. HIPAA explicitly distinguishes organ procurement activities from standard business associate arrangements. As HRSA states, “OPOs are also not considered Business Associates of Transplant Center or hospitals.” OPOs are not acting as vendors or contractors providing administrative or operational services to hospitals; instead, they are performing a legally recognized public health and donation coordination function.
Although OPOs are not typically regulated under HIPAA, HIPAA explicitly permits covered entities to disclose PHI to OPOs.
Under 45 C.F.R. § 164.512(h), HIPAA allows hospitals and other covered entities to share PHI without patient authorization for purposes related to:
This exception ensures that necessary medical and demographic information can be shared quickly to evaluate donor suitability, match organs to recipients, and coordinate recovery efforts.
In practice, this means:
Once PHI is disclosed to an OPO under the organ donation exception, HIPAA’s Privacy and Security Rules no longer apply directly to the OPO. However, this does not imply that the information lacks protection; rather, OPOs are usually subject to regulation by:
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Covered entities may share relevant medical and demographic information, such as medical history, cause of death, laboratory results, and donor suitability data, as necessary to facilitate donation and transplantation.
Yes. While sharing PHI with OPOs is permitted, improper disclosures by covered entities, such as sharing excessive or unnecessary information outside permitted purposes, could still constitute HIPAA violations.