Health Information Highlight
Welcome to a three-part series that will examine several ways to efficiently identify, address, and mitigate gaps in HIPAA compliance in transaction diligence.
A target’s value is often held in its information and people. An increased risk of HIPAA enforcement means that privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate any potential go-forward risk, and, most importantly, understand the cost of protecting the target’s greatest assets.
Beginning last year, we saw a substantial increase in the economic impact of HIPAA enforcement by the Department of Health and Human Services, Office for Civil Rights (OCR). Since then, several new cases have illuminated the need for increased scrutiny of HIPAA compliance during the transaction diligence process.
To better understand a seller’s overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction:
(1) Does the seller have the core HIPAA documentation in place? At minimum, the buyer should look for:
- Privacy and Security Rule Policies and Procedures
- Breach Notification Policies and Procedures and Risk Assessments
- Security Audits and Incident Logs
- HIPAA Risk Analyses (for the last 2-3 years) and corresponding Management Plans
- Business Associate Agreements (BAAs) with Contractors/Customers
- As applicable, Notice of Privacy Practices
(2 ) Is the seller complying with its policies? The principal measure of the effectiveness of a HIPAA compliance program is whether the seller’s internal controls and compliance practices live up to the promise set out in the policies. To determine whether a seller is complying with its policies, a buyer should look to whether the seller is:
- sufficiently training employees and documenting this training;
- assessing and tracking security incidents;
- identifying and empowering compliance personnel;
- auditing and monitoring compliance on a periodic basis; and
- performing frequent security assessments regarding risk areas.
In some cases, a simple public news search may identify target’s incidents or reputational risks that may be meaningful to the buyer, even where a formal investigation or enforcement has not yet been triggered.
(3) How does the seller address potential HIPAA security and breach risk areas? A seller’s representation that “no HIPAA breaches have occurred” may tell the buyer much about what the seller is not doing to identify and take action on various security and privacy compliance risks. The buyer should review seller security risk analyses, breach assessments, and investigation logs to understand the seller’s historical liabilities and what the seller has treated as actionable risks. Buyer may also wish to understand how seller is assessing third party risks, including determining BAA compliance and determining whether and how third parties are accessing and using PHI.
(4) What is the nature of risk related to any identified gaps? A buyer should carefully consider the spectrum of liability to the parties related to risks identified in transaction diligence. Buyer should review the liabilities in the context of:
- the risk of governmental enforcement, including more restrictive state and international laws that may attach to the data;
- civil liability, including contractual breaches;
- ethical and organizational fines;
- criminal executive liability for profiting off or knowingly not reporting breaches; and
- related reputational harm to the parties related to an enforcement action or third party suit.