Sunshine Act and HIPAA: What Covered Entities Must Know

In 2023, CMS published over 12.9 billion dollars in physician payment data through the Open Payments database — the public-facing arm of the Sunshine Act. Every year, healthcare organizations ask me the same question: does reporting these payments create a HIPAA violation? The intersection of the Sunshine Act and HIPAA is more nuanced than most compliance officers realize, and getting it wrong can expose your covered entity to enforcement action from OCR or CMS — or both.

What the Sunshine Act Requires from Your Organization

The Physician Payments Sunshine Act, enacted as Section 6002 of the Affordable Care Act, requires applicable manufacturers and group purchasing organizations (GPOs) to report payments and transfers of value made to physicians and teaching hospitals. These reports are submitted annually to CMS and published in the Open Payments database.

If your organization is an applicable manufacturer or GPO — or if you operate a teaching hospital — you have a direct reporting obligation. But even if you are a covered entity that doesn't manufacture drugs or devices, the Sunshine Act affects how your physicians interact with industry and how your organization handles the data that flows from those interactions.

The reporting threshold is remarkably low. Any single payment or transfer of value exceeding $10, or aggregate payments exceeding $100 to a single physician in a calendar year, must be reported. This includes meals, travel, consulting fees, research payments, and speaking honoraria.

Where the Sunshine Act Intersects with HIPAA Privacy Protections

Here is where compliance teams consistently stumble. The Sunshine Act requires disclosure of payment information tied to specific physicians — but it does not require or authorize the disclosure of protected health information (PHI). The reporting obligation covers the financial transaction between a manufacturer and a physician, not patient records.

However, problems arise in practice. Research payments reported under the Sunshine Act sometimes involve clinical trial data. If your organization shares information with a manufacturer to substantiate or contextualize a research payment, and that information includes patient identifiers, you have a potential HIPAA Privacy Rule violation under 45 CFR §164.502.

The minimum necessary standard applies here with full force. Your workforce must be trained to understand that Sunshine Act reporting never justifies disclosing more patient information than is absolutely required — and in most cases, zero PHI should be included in payment reports or supporting documentation sent to manufacturers.

Business Associate Agreements and Manufacturer Relationships

A common misconception is that pharmaceutical manufacturers are automatically business associates under HIPAA. They are not — unless they perform a function on behalf of your covered entity that involves access to PHI. A manufacturer paying your physician a consulting fee does not create a business associate relationship.

But if a manufacturer is conducting research at your facility and has access to patient data, a business associate agreement (BAA) is required under the HIPAA Omnibus Rule. The Sunshine Act payment reporting obligation exists in parallel, but it does not replace or modify your BAA requirements. These are separate compliance tracks that must be managed independently.

Practical Steps to Align Sunshine Act and HIPAA Compliance

Based on my work with covered entities navigating both frameworks, here are the steps your organization should implement immediately:

• Audit your payment reporting workflows. Identify every point where Sunshine Act data is collected, verified, or transmitted. Confirm that no PHI is included in reports or supporting documentation sent to manufacturers or CMS.
• Train your workforce on both obligations. Your physicians and administrative staff need to understand what must be reported under the Sunshine Act and what must never be disclosed under HIPAA. Comprehensive HIPAA training and certification should address these overlapping requirements explicitly.
• Separate research data from payment data. If your organization receives research funding from manufacturers, create distinct data handling procedures for clinical trial PHI and financial reporting. Never commingle these data streams.
• Review your Notice of Privacy Practices. Ensure your Notice of Privacy Practices accurately describes the types of disclosures your organization makes, including any disclosures required by law. Sunshine Act reporting itself typically does not involve PHI, but your notice should be current and comprehensive.
• Conduct a risk analysis that covers both frameworks. Your HIPAA risk analysis under 45 CFR §164.308(a)(1) should account for any workflow where manufacturer relationships create potential exposure of protected health information.

The OCR Enforcement Angle You Cannot Ignore

OCR has not issued a specific guidance document on Sunshine Act and HIPAA overlap. But that silence is not permission. OCR enforcement actions have consistently targeted organizations that disclosed PHI without a valid HIPAA authorization or applicable exception — regardless of whether the disclosure was motivated by another regulatory requirement.

In multiple resolution agreements, OCR has imposed penalties where covered entities shared patient information with third parties under the mistaken belief that a separate regulatory obligation justified the disclosure. The lesson is clear: a reporting requirement under one federal law does not create an automatic exception under the HIPAA Privacy Rule.

If a manufacturer requests patient-level data to support or verify a Sunshine Act payment report, your default answer must be no. Payment data is financial. Patient data is protected. These categories do not overlap in the reporting context.

The Workforce Training Requirement Most Organizations Underestimate

The 45 CFR §164.530(b) workforce training requirement applies to every member of your workforce who handles PHI — and that includes physicians who interact with manufacturers. Many organizations train clinical staff on HIPAA basics but fail to address the specific risk scenarios created by industry financial relationships.

Your physicians need to know that accepting a consulting fee from a manufacturer does not authorize sharing patient outcomes data with that manufacturer. Your research coordinators need to understand that verifying a payment amount for Open Payments reporting does not require transmitting any PHI.

Building this awareness starts with structured, role-specific training. HIPAA Certify's workforce compliance platform allows you to deliver targeted training that addresses these real-world scenarios rather than relying on generic annual presentations.

Keep the Sunshine Act and HIPAA in Separate Lanes

The Sunshine Act promotes financial transparency between manufacturers and physicians. HIPAA protects patient privacy. These are complementary goals — but they operate under entirely different rules, with different enforcement agencies and different penalties.

Your organization's compliance program must treat them as parallel obligations. Map the data flows for each. Train your workforce on both. And never allow one regulatory requirement to become the justification for violating another. That discipline is what separates organizations that manage compliance from those that become OCR enforcement statistics.