Health care organizations’ lack of compliance with the data privacy and security requirements of both state laws and the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Breach Notification Rules and the resulting cyber security risk could be a literal “deal breaker” for mergers and acquisitions. Buyers must prioritize fulsome due diligence in investigating the data privacy and security practices of their targets, and sellers must be prepared to provide excellent documentation regarding their policies and practices to buyers to ensure that the deal doesn’t stall, or worse, based on concerns about potential state and federal regulatory enforcement actions.
Recent business deals in other industries have been affected by cyber attacks, causing a lowered purchase price or resulting in buyers acquiring big liabilities related to previous information breaches. In health care, buyers must also consider state privacy and security laws, and particularly the HIPAA Rules.
Generally, most health care organizations must ensure they are compliant with:
- The HIPAA Privacy Rule which requires the permitted uses and disclosures of Protected Health Information (PHI) and individuals rights to it.
- The HIPAA Security Rule which requires the necessary physical, administrative and technical safeguards that must be put in place to protect confidentiality, integrity, and availability of PHI.
- The HIPAA Breach Notification Rule which requires parties to be notified when a breach of PHI has occurred.
Violations of HIPAA have serious consequences. These include civil penalties that range from $50,000 per incident up to $1.5 million per incident for violations that are not corrected, per calendar year. “Per violation” means that any particular investigation of a breach incident could result in $1.5 million in penalties for each year of a six-year statute of limitations for each requirement of the Privacy, Security or Breach Notification Rules that may be implicated. Both the Department of Health and Human Services (HHS) and the State Attorneys General have jurisdiction to enforce civil penalties. HIPAA violations may also result in criminal penalties that end in more fines and violators facing up to 10 years in prison; the Department of Justice (DOJ) enforces the criminal provisions of HIPAA.
Too many potential buyers do not conduct the requisite HIPAA compliance due diligence and expose themselves both to HIPAA penalties and general cybersecurity liability. At the same time, many sellers do not anticipate that buyers will inquire about HIPAA compliance and are unable to provide key information that should be necessary to complete the deal.
To avoid HIPAA liabilities and cybersecurity risk, due diligence should include a review of the following:
1. Copies of HIPAA Policies and Procedures for the previous six years:
- Updated policies and procedures regarding uses, disclosures, and safeguards to protect PHI
- Updated policies and procedures regarding individual’s rights
- Updated policies and procedures regarding Business Associate Agreements and sample forms
- Designation of HIPAA Privacy Officer
- Notices of Privacy Practices
- HIPAA Authorization Forms
- Copies of required enterprise Risk Analyses and Risk Management Plans (these are not security audits or gap analyses, for example). Roughly 80% of HHS’s settlement agreements and civil money penalties include violations of these requirements
- Updated policies and procedures regarding administrative, physical and technical controls
- Designation of HIPAA Security Officer
- Evidence of technical safeguards required by the HIPAA Security Rule, including encryption, malware protection, access and audit controls, device and media controls, and facility access controls
- Updated policies and procedures regarding investigating suspected or actual breach incidents and providing notice
- Updated policies and procedures regarding record retention and destruction
- Updated policies and procedures regarding training of employees
2. List of Business Associates and confirmation of existing BAAs
3. Documentation regarding any data security incidents or security breaches, and any open HHS investigations
4. List of complaints received related to HIPAA, and any open HHS investigations
5. Documentation of current cyber liability insurance
Buyers should consider that reoccurring HIPAA compliance issues found at health care organizations include failure to manage identified cybersecurity risk and insider threats, lack of encryption, lack of appropriate access controls, lack of mobile device controls, improper disposal of PHI, insufficient data backup and contingency planning. Entities also fail to obtain requisite business associate agreements, conduct risk analyses, ensure information transmission security, conduct appropriate auditing and patch their software. These failures, if investigated by HHS, State Attorneys General or the DOJ, would be a real eye opener for potential buyers, maybe even “deal breakers.”