HIPAA Compliance for Fertility Clinics and Reproductive Health Providers

Fertility clinics hold some of the most sensitive protected health information (PHI) in all of healthcare. A single IVF cycle can generate genetic test results, embryology lab records, donor identities, detailed reproductive and sexual histories, and information about more than one person at once. That combination of high sensitivity and multiple linked parties is what makes HIPAA compliance for reproductive health providers different from a typical specialty practice.

Why reproductive health records carry extra risk

Most clinical records describe one patient. A fertility record often describes several: intended parents, egg or sperm donors, and gestational carriers can all appear in the same chart. Donor anonymity preferences, embryo disposition decisions, and genetic screening results (PGT-A, carrier screening) all live in systems that must be tightly access-controlled, because an inappropriate disclosure can affect people who were never your patient.

The technology footprint is also wider than people expect. Beyond the EHR, a fertility program typically runs an embryology lab information system, cryostorage tank monitoring and electronic witnessing tools, genetic testing portals from reference labs, and patient-facing cycle-tracking apps. Reproductive health information has drawn heightened legal and regulatory attention in recent years, and state laws frequently impose their own confidentiality requirements on top of HIPAA. When state law is more protective, you generally have to follow it. Every one of those connection points is a place where PHI can leak if it is not inventoried and secured.

Start with a Security Risk Analysis

The HIPAA Security Rule requires every covered entity to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic PHI — the Security Risk Analysis (SRA), at 45 CFR § 164.308(a)(1)(ii)(A). For a fertility clinic this means mapping where reproductive PHI actually lives: the EHR, the embryology lab system, cryo-monitoring platforms, donor databases, genetic-testing vendor portals, billing, and any cycle-tracking app you recommend. The SRA is where you catch the systems that get forgotten precisely because they sit outside the main EHR.

The proposed 2026 Security Rule update

In December 2024, the Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) that would significantly strengthen the Security Rule. It proposes making controls that are currently “addressable” — such as multi-factor authentication, encryption of ePHI, and a maintained asset inventory — effectively mandatory, along with more rigorous, regularly updated risk analysis. This rule is not final. If adopted as proposed, organizations would have roughly a 240-day compliance window after the final rule is published. Fertility programs should treat it as a strong signal of direction and inventory their systems now, but should not assume any provision is in force yet.

How Medcurity helps

Medcurity gives fertility clinics a guided, audit-ready Security Risk Analysis plus the policies, documentation, and tracking OCR expects to see. The platform walks your team through identifying every system that touches reproductive PHI, scoring risks, and building a remediation plan you can actually work through. Pricing starts at $499/year (about $42/month) for a single organization; larger fertility networks and multi-site groups can request a quote. Two good next steps are our HIPAA compliance checklist and our guide to HIPAA and genetic information.

Frequently asked questions

Is a fertility clinic a HIPAA covered entity?

Almost always. If your clinic provides health care and transmits any health information electronically in connection with a covered transaction — such as billing a health plan — you are a covered entity and the full HIPAA Privacy and Security Rules apply to you.

Are egg and sperm donors’ records protected by HIPAA?

Yes. Donor health information held by the clinic is PHI just like a patient’s. Because donor records and recipient records can be linked, access controls and “minimum necessary” limits are especially important to prevent one party’s information from being exposed to another.

Do our genetic testing and embryology lab vendors need a BAA?

If a vendor creates, receives, maintains, or transmits PHI on your behalf — reference genetic labs, cryostorage monitoring providers, and lab information system vendors typically do — you need a signed Business Associate Agreement before sharing PHI with them.

Does HIPAA or state law govern reproductive records?

Both can apply. HIPAA sets a federal floor, but many states have stricter confidentiality rules for reproductive and genetic information. Where state law is more protective of the patient, it generally controls, so fertility clinics need to comply with whichever standard is tighter.