A surgeon in Ohio walks into her office one morning and discovers her name on a public database — listed alongside $47,000 in payments from a medical device company. She had no idea the information was being reported. Her patients can see it. Her colleagues can see it. And it's all perfectly legal.

That database exists because of the Physician Payments Sunshine Act. If you work in healthcare and you've ever wondered what is the Sunshine Act, this is the answer that matters: it's a federal transparency law that puts financial relationships between physicians and manufacturers on full public display.

And if you're a covered entity under HIPAA, the intersection between these two laws is something your compliance team needs to understand right now.

What Is the Sunshine Act, Exactly?

The Physician Payments Sunshine Act is Section 6002 of the Affordable Care Act, signed into law in 2010. It requires applicable manufacturers of drugs, devices, biologicals, and medical supplies to report certain payments and transfers of value made to physicians and teaching hospitals.

These reports go to CMS, which publishes the data annually through the Open Payments database. Anyone — patients, journalists, compliance officers — can search the database and see exactly which doctors received money, how much, and from whom.

The categories of reportable payments include consulting fees, speaker honoraria, meals, travel, research funding, royalties, and ownership interests. Even a $15 lunch at a medical conference can trigger a reporting obligation.

Who Has to Report?

The reporting burden falls on applicable manufacturers and group purchasing organizations (GPOs) — not the physicians themselves. But here's what catches people off guard: physicians and teaching hospitals are given a 45-day review period before data goes public. If your organization doesn't flag errors during that window, the data stands.

I've seen hospitals scramble to correct inaccurate Open Payments data after the review period closed. Once it's published, your options narrow dramatically.

The $2.2 Million Question: Why Should HIPAA Covered Entities Care?

On the surface, the Sunshine Act and HIPAA look like they occupy different lanes. The Sunshine Act covers financial transparency. HIPAA governs protected health information. But in practice, these two laws collide more often than most compliance officers realize.

Here's how.

Research Payments and PHI Overlap

When a manufacturer funds a clinical research project at a teaching hospital, that payment gets reported under the Sunshine Act. But the research itself involves patients — and their PHI. Your workforce needs to understand that the financial transparency required by the Sunshine Act doesn't create an exception to HIPAA's privacy protections.

I've consulted with organizations where research coordinators assumed that because a payment was publicly disclosed, the associated patient data was somehow less protected. That's wrong, and it's dangerous. A HIPAA breach doesn't care about your Sunshine Act filing.

Compliance Programs Need Both

OCR has consistently emphasized that HIPAA compliance requires a comprehensive approach. Your compliance program can't operate in silos. If your team manages Open Payments reporting but doesn't coordinate with your HIPAA privacy officer, you're creating gaps.

The HHS Office of Inspector General has made it clear that financial conflicts of interest in healthcare are an enforcement priority. Combine that with OCR's focus on organizational compliance culture, and you get a picture where Sunshine Act awareness and HIPAA workforce training belong in the same conversation.

Open Payments by the Numbers

The scale of the Open Payments program is staggering. According to CMS's Open Payments page, the program has published data on billions of dollars in payments since its launch. In recent reporting years, over 1,700 companies have reported payments to more than 600,000 physicians.

Those aren't abstract figures. Each data point represents a financial relationship that patients, regulators, and the media can scrutinize.

For covered entities, every one of those relationships is also a potential compliance touchpoint. Does the physician who received $200,000 in consulting fees from a device maker also have access to ePHI at your hospital? Does your conflict-of-interest policy address how financial relationships affect PHI access decisions?

If you haven't asked those questions, you're behind.

What Does the Sunshine Act Require? A Quick-Reference Breakdown

If someone searches what is the Sunshine Act, they usually want the essentials fast. Here they are:

  • Who reports: Applicable manufacturers of covered drugs, devices, biologicals, and medical supplies, plus GPOs.
  • Who's covered: Physicians (MDs, DOs, dentists, podiatrists, optometrists, chiropractors) and teaching hospitals.
  • What's reported: Payments and transfers of value — meals, travel, consulting, speaking, research, royalties, ownership interests.
  • Where it's published: The CMS Open Payments database, publicly searchable.
  • When: Manufacturers report annually. CMS publishes data each June after a physician review and dispute period.
  • Penalties: Manufacturers who fail to report can face civil monetary penalties up to $150,000 per payment, with an annual cap of $1 million — or $10,000 per knowing failure, capped at $100,000 annually for unknowing violations.

Those penalty ranges come directly from the statute, and CMS has the authority to enforce them.

The Training Gap That Gets Organizations in Trouble

Here's what I see over and over: organizations train their workforce on HIPAA in isolation. They train on compliance and ethics in isolation. And they train on financial reporting — if they train on it at all — in a completely separate silo.

The result? Staff members who don't connect the dots. A physician who doesn't realize their Open Payments data is public might make careless statements about industry-funded research — statements that inadvertently reference patient information. A billing coordinator who handles manufacturer invoices might not understand why those transactions require a different level of scrutiny.

Your HIPAA training should address the broader compliance ecosystem, including laws like the Sunshine Act that directly affect physician conduct and organizational transparency. Explore our HIPAA training catalog for courses that contextualize HIPAA within the larger regulatory landscape your workforce actually operates in.

OCR Enforcement and Organizational Culture

OCR doesn't just look at whether you had a policy on paper. They look at whether your organization built a culture of compliance. The agency's enforcement actions tell the story.

Take the $4.8 million settlement with New York-Presbyterian Hospital and Columbia University — one of the largest OCR settlements on record, driven in part by failures in organizational oversight. Or the $2.3 million penalty against Parkview Health for failing to protect PHI during a records transfer. These cases share a common thread: organizations that let compliance functions operate in silos. You can review OCR's full list of enforcement actions on the HHS resolution agreements page.

When OCR investigators walk through your door, they want to see that your HIPAA compliance program talks to your financial compliance program. They want to see that your workforce understands how different regulatory obligations connect. The Sunshine Act is one of those connections.

Practical Steps for Covered Entities in 2026

If you're a compliance officer, practice manager, or privacy officer at a covered entity, here's what I recommend:

  • Audit physician relationships. Cross-reference your employed and affiliated physicians against the Open Payments database. Know what's public about your organization before someone else finds it.
  • Update your conflict-of-interest policies. Make sure they address how financial relationships with manufacturers affect PHI access and research participation.
  • Integrate your training. Don't train HIPAA in a vacuum. Your workforce training program should address the Sunshine Act, anti-kickback considerations, and how these laws interact with HIPAA's Privacy and Security Rules.
  • Brief your physicians during the Open Payments review period. Make sure covered physicians actually review and dispute inaccurate data before CMS publishes it.
  • Document everything. If OCR or OIG comes knocking, your paper trail is your best defense.

Transparency Isn't Optional Anymore

The Sunshine Act didn't just create a database. It created a permanent shift in how the public, regulators, and patients evaluate trust in healthcare. Your physicians' financial relationships are now public record. Your organization's ability to manage those relationships — alongside its HIPAA obligations — is a direct measure of your compliance maturity.

Understanding what is the Sunshine Act isn't just a regulatory checkbox. It's a strategic necessity for any covered entity that wants to stay ahead of enforcement trends and maintain patient trust in 2026.

The organizations that thrive are the ones that stop treating compliance as a series of isolated obligations and start treating it as one interconnected system. That's where real protection lives — for your patients, your workforce, and your organization.