OB/GYN Compliance: HIPAA + State Mandatory Reporting + Specialty Codes
8 min read · Last reviewed May 23, 2026
OB/GYN practices operate under HIPAA at 45 CFR Part 164, state mandatory-reporting statutes that vary significantly by state, ACOG-published standards-of-care that surveyors and plaintiff experts treat as authoritative, and CMS billing rules for the global obstetric package and the bundling of antepartum, delivery, and postpartum services. Compliance turns on chart segmentation for sensitive records, accurate global-package billing, and state-specific reporting workflows.
What the regulators actually require for OB/GYN
The federal baseline is HIPAA — Privacy Rule and Security Rule at 45 CFR Parts 160 and 164. What makes OB/GYN distinct is the interaction with state minor-consent laws. HIPAA defers to state law on whether a parent is the personal representative for a minor's protected health information under 45 CFR § 164.502(g)(3). State law often grants minors the right to consent to reproductive and sexual-health services without parental notification, which means the practice must segment those records in the EHR.
State mandatory-reporting requirements apply to OB/GYN providers in several distinct categories — child abuse, elder or dependent adult abuse, sexual assault, intimate partner violence (in mandatory-report states), specified communicable diseases, and in some states minors in pregnancy below specified thresholds. The penalty for non-reporting is personal to the provider — fines and possible license discipline — not just institutional. Every state's reporting statute is different.
The CMS global obstetric package is defined by CPT and reinforced in CMS NCCI Policy Manual. CPT codes 59400 (vaginal delivery global), 59510 (cesarean global), 59610 (VBAC global), 59618 (attempted VBAC with cesarean delivery) bundle routine antepartum care, delivery, and routine postpartum care. Misbilling the global components is one of the most common OB/GYN audit findings.
HRSA Title X regulations at 42 CFR Part 59 apply only to Title X grant recipients. They impose confidentiality, counseling, and adolescent-services requirements distinct from HIPAA. A practice that does not receive Title X funding is not directly subject to Title X, but ACOG and many state Medicaid programs cite Title X standards as best practice for family-planning documentation.
ACOG Committee Opinions and Practice Bulletins, while not legally binding, are treated by accreditation surveyors and plaintiff experts as the standard of care. Documentation that departs from a current ACOG opinion without a documented clinical rationale is a litigation exposure.
CMS BPCI Advanced (Bundled Payments for Care Improvement Advanced), which historically included a maternity bundle, concluded its performance period on December 31, 2025; participation is now a historical exposure for any look-back audit of services furnished during the program rather than an active operational obligation. Practices that participated should retain BPCI-A documentation and quality-measure records for the applicable post-program audit window.
The documents you must maintain
The OB/GYN compliance binder should hold:
- Notice of Privacy Practices including the state-specific provisions for sensitive services and confidential communications
- State-specific mandatory-reporting reference at every workstation, updated annually against the current state statute
- Minor-consent and chart-segmentation policy with the EHR configuration documented (sensitive note tagging, portal release rules)
- Confidential communications protocol for sensitive-service EOB redirection and patient-preferred-address requests
- Global obstetric package billing policy documenting which encounters are inside the global, which bill separately, and the chart-documentation standard that justifies separately billable services
- Antepartum visit log for every pregnant patient with the count of antepartum visits documented (necessary if the patient transfers care and partial antepartum billing applies)
- Informed consent forms for sterilization (sterilization consent under 42 CFR Part 50 Subpart B for any federally funded sterilization — including Medicaid), cesarean, VBAC, intrauterine procedures
- Mandatory-reporting log documenting every report made (without the patient PHI in the log, only the date and statute cited)
- IPV (intimate partner violence) screening documentation per ACOG Committee Opinion 829 — screening is recommended at annual exams and at first prenatal visit
- Quality measure submission records for MIPS-eligible practices, plus retained BPCI-A records for any practice that participated before the program's December 31, 2025 sunset
What OB/GYN practices most often miss is the federally funded sterilization consent form at 42 CFR § 50.205 — the form, the 30-day waiting period (with limited exceptions), and the specific timing requirements. Failure to follow the form is a denial of payment under Medicaid and a potential False Claims Act exposure.
How audits actually work in OB/GYN
Commercial payer audits of OB/GYN routinely target the global obstetric package — pulling charts to verify the antepartum visit count, confirming that separately billed services (ultrasounds, NSTs) had documented medical necessity beyond routine prenatal monitoring, and checking that postpartum care was documented and within the global window.
Medicaid audits add the sterilization-consent and family-planning documentation. Medicaid claims for sterilization without the properly executed federal sterilization consent form (Form HHS-687) are denied even after payment if found in post-payment review. The 30-day waiting period is rigid; documented exceptions are narrow.
State medical board investigations of OB/GYN providers typically begin with a patient complaint or a mandatory-reporting referral. State boards subpoena the chart and the practice's policies on the relevant area (e.g., minor confidentiality, IPV screening, controlled-substance prescribing for pelvic-pain management). The board's expert reviewer scores the documentation against the ACOG-defined standard of care for the specific clinical situation.
What OB/GYN practices most often miss is the chart-segmentation discipline. A minor's confidential reproductive-health visit needs to be tagged in the EHR so that the visit summary does not auto-release to the parent portal. Practices that allow auto-release breach state minor-consent statutes and HIPAA simultaneously.
Common gaps unique to OB/GYN
In OB/GYN audits we have responded to, the recurring gaps:
- Global obstetric package billed when the patient transferred care mid-pregnancy — the previous provider's antepartum visits are not in the global; itemized billing for the visits actually performed is required.
- Separately billed ultrasounds without documented medical necessity beyond routine pregnancy dating and anatomy survey — CPT 76817, 76801, 76805 each have specific indications; routine repeat ultrasound for reassurance without medical indication is not separately billable.
- NST (non-stress test) billed for routine surveillance without documented indication — CPT 59025 requires a documented medical indication (decreased fetal movement, hypertension, diabetes, post-dates).
- Sterilization consent form executed less than 30 days before the procedure without a documented qualifying exception (premature delivery, emergency abdominal surgery) — Medicaid claim is denied.
- Confidential communications request not honored — sensitive-service EOB sent to the policyholder triggers HIPAA complaint and state-statute complaint.
- IPV screening not documented — ACOG Committee Opinion 829 expects screening at annual exam and first prenatal visit; the absence of screening documentation is a plaintiff-expert finding.
- Mandatory report not made within statutory timeframe — most state statutes require immediate verbal report followed by written report within 36-48 hours.
- Sensitive notes released through patient portal to parent of consenting minor — EHR configuration error; root cause is missing chart-segmentation policy.
Maintenance cadence
- Daily: chart-segmentation verification for any minor-consent encounter; mandatory-reporting log entry for any report made
- Weekly: confidential communications request log review
- Monthly: global obstetric package billing reconciliation; sterilization consent form audit on any Medicaid sterilization claims
- Quarterly: chart sample audit (10-15 charts) for documentation-to-billing fit and ACOG standard-of-care adherence
- Annually: state mandatory-reporting reference refresh; ACOG Committee Opinion library refresh; HIPAA risk analysis; sterilization consent form retraining for clinical and billing staff
- On every staff onboard: state-specific mandatory-reporting training within 30 days; minor-consent and chart-segmentation training before independent patient care
State preemption: where state law adds materially
California — Family Code § 6925 grants minors the right to consent to pregnancy-related care without parental notification, with no statutory age minimum (other minor-consent provisions in the Family Code have age thresholds — § 6925 itself does not). Health and Safety Code § 1374.92 (Confidential Communications) requires payers to honor patient requests for confidential delivery of EOBs and related communications. Penal Code § 11166 governs child-abuse reporting with strict immediacy requirements. CMIA at Civil Code §§ 56-56.37 layers additional disclosure restrictions on PHI.
Texas — Family Code § 32.003 governs minor consent for limited services; the threshold is narrower than California's. Texas Family Code Chapter 261 mandates child-abuse reporting within 48 hours. HB 300 adds 15-business-day patient-access response. Texas additionally has a state-specific sterilization-consent form for Medicaid that must accompany the federal form.
New York — Public Health Law § 17 grants minors 18 and older access to their records; PHL § 2504 governs minor consent for emergency, reproductive, and certain mental-health services. New York Social Services Law § 413 governs child-abuse reporting. I-STOP applies to any controlled-substance prescribing for chronic pelvic pain or post-surgical analgesia.
Florida — Florida Statute § 743.065 governs minor consent for pregnancy-related services. F.S. § 39.201 governs child-abuse reporting (immediate hotline call required). FIPA at F.S. § 501.171 imposes 30-day breach notification. Florida additionally requires Medicaid sterilization consent on the Florida-specific form alongside the federal form.
How d3rx fits
The d3rx specialty compliance binder maintains the OB/GYN module: state mandatory-reporting reference, minor-consent and chart-segmentation policy, confidential communications workflow, global obstetric package billing policy, sterilization-consent tracker, IPV screening documentation tracker, and ACOG Committee Opinion library cross-reference. It is a source-grounded administrative documentation aid. It does not certify compliance, provide legal advice, or replace counsel. See compliance binder for the binder structure.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — OB/GYN Compliance: HIPAA + State Mandatory Reporting + Specialty Codes. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does a minor's confidentiality under state law override HIPAA parental access?
In several states yes, in several states no. California Family Code § 6925, Texas Family Code § 32.003, New York Public Health Law § 17 and § 2504, and Florida Statute § 743.065 each grant minors the right to consent to certain reproductive and sexual-health services. Where the minor consents under state law, HIPAA at 45 CFR 164.502(g)(3) defers to state law on who is the personal representative for that record. Practical effect: chart segmentation in the EHR with sensitive notes flagged so they are not released through the patient portal to the parent automatically.
What must be reported under state mandatory reporting for OB/GYN providers?
Suspected child abuse and elder/dependent-adult abuse under state-specific statutes; sexual assault under most state codes; certain communicable diseases under state public-health statutes (syphilis, gonorrhea, HIV in many states); pregnancy in a minor under specific state thresholds; and intimate partner violence in states with mandatory reporting (KY, RI). Penalties for failure-to-report attach to the provider personally, not the practice. Maintain a one-page state-specific mandatory-reporting reference at every workstation.
What is included in the global obstetric package and what bills separately?
Per CPT and CMS NCCI policy, the global obstetric package (CPT 59400 vaginal, 59510 cesarean, 59610 VBAC, 59618 attempted VBAC) includes routine antepartum care, delivery, and routine postpartum care. Separately billable: the initial pregnancy confirmation visit, lab tests, screening ultrasounds, non-stress tests, services for medical complications, and care from a different practice or provider group. Document the global package start and end dates in the chart to support what is and is not billed separately.
Does HRSA Title X apply if my practice is not a federally funded clinic?
Title X grant requirements at 42 CFR Part 59 apply to recipients of Title X family-planning funding. If your practice does not receive Title X funding, the federal Title X confidentiality and counseling rules do not apply. Your obligation is to your state's family-planning rules, the ACOG counseling standards, and the standard HIPAA framework. Practices that contract with a federally qualified health center on family-planning referrals should check whether the FQHC's Title X obligations flow through the contract.
Can I include a minor's reproductive health information on the explanation of benefits sent to the policyholder?
It depends on state and payer. California Health and Safety Code § 1374.92 (Confidential Communications) and similar laws in CO, OR, WA, MA, and NY permit a covered patient to request that EOBs and communications related to sensitive services be redirected to the patient's preferred address rather than the policyholder. The protected health services typically include reproductive health, mental health, and substance use. Implement a documented patient-request workflow at the front desk.
What ACOG Committee Opinions actually drive surveyor expectations?
ACOG Committee Opinions are not legally binding, but accreditation surveyors and plaintiff experts treat them as the standard of care. Key opinions for documentation: ACOG CO 803 on confidentiality of minors' reproductive health, ACOG CO 819 on informed consent in obstetric care, ACOG CO 829 on intimate partner violence screening, and Practice Bulletin 222 on gestational hypertension and preeclampsia management. Maintain a current ACOG library and document where practice protocols differ from ACOG guidance and why.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR Part 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
- 45 CFR Parts 160 and 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C
- 45 CFR § 164.502(g)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
- CMS NCCI Policy Manualhttps://www.cms.gov/Medicare/Coding/NationalCorrectCodInitEd/index.html
- 42 CFR Part 59https://www.ecfr.gov/current/title-42/chapter-I/subchapter-D/part-59
- 42 CFR Part 50 Subpart Bhttps://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-50/subpart-B
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- ComplianceThe Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)The 60-day clock starts at identification. Miss it, and the overpayment becomes a False Claims Act violation. Here is the actual procedure.
- ComplianceOCR Investigation Letter: Your 30-Day Response PlaybookReceived an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- CompliancePsychiatry Compliance: Controlled Substances + 42 CFR Part 2 + TelepsychiatryDEA controlled-substance prescribing, 42 CFR Part 2 SUD confidentiality, the DEA/HHS fourth temporary telemedicine extension through December 31, 2026, and the documentation surveyors actually sample first.
- RegulationHIPAA Incidental Disclosures (45 CFR 164.502(a)(1)(iii))Incidental disclosures that occur as a by-product of an otherwise permitted use or disclosure are not violations, provided reasonable safeguards and minimum necessary policies are applied.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.