HIPAA’s restrictions on the use or disclosure of protected health information (PHI) by a covered entity or business associate may be familiar to many in health care. Also familiar may be the exception that allows covered entities and business associates to use or disclose PHI for treatment, payment, or health care operations. What may be less familiar is that the sale, transfer, merger, or consolidation of a covered entity with another covered entity can qualify as health care operations under the right circumstances. While this exception provides a means for parties to a transaction to share pertinent information that contains PHI, it is important to stay within the parameters of the exception, or risk violating HIPAA. Read on for four key questions to ask before disclosing (or withholding) PHI in transaction due diligence.
1. Who are the parties? (PRE- and POST-closing)
HIPAA permits a covered entity to use or disclose PHI for due diligence related to a sale, transfer, merger, or consolidation, if the transaction is between two covered entities, or between the disclosing covered entity and an entity that will become a covered entity following the transaction.
Thus, it is important to consider who the parties are. While it will likely be clear that two large hospitals may share PHI in due diligence, it may be less clear if the parties are a long-term care provider and a private equity investor, since the investor may not be a covered entity either prior to or after the transaction closes. Also in a gray area might be a surgery center that is proposing to sell and is sharing information with several private equity bidders as it seeks a buyer; this could require additional consideration as the determination of whether the exception applies could vary from one bidder to the next. Each transaction scenario is unique and should be carefully considered before any PHI is disclosed.
2. Is the PHI necessary? (The Minimum Necessary Standard)
Once the parties are satisfied that they meet the first requirement, they must decide whether the information at issue is necessary for the transaction. Even though using or disclosing PHI pursuant to due diligence may be permitted, HIPAA’s Minimum Necessary standard still applies. The Minimum Necessary standard requires that, when using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit the PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
These efforts must include developing criteria designed to limit both the requests for and the disclosure of PHI to the information reasonably necessary to accomplish the purpose for which disclosure is sought. Requests and disclosures must be reviewed on an individual basis in accordance with these criteria.
In the context of transaction due diligence, consider whether the document can be redacted such that it no longer contains PHI, but is still responsive to the diligence request. For example, if a buyer is interested in understanding the seller’s claims distribution across different procedures, perhaps the information can be communicated without patient-identifying information. If so, the document should be redacted until all but the minimum necessary amount of PHI has been removed.
3. Who will see it? (Limit the Access)
An important component of the Minimum Necessary standard—and thus the transaction diligence exception—is identifying the person(s) involved who need PHI access and what type of PHI they need access to, and then making reasonable efforts to limit the access to those individuals.
In the context of transaction due diligence, parties should give thought to who on each side actually needs access to the PHI being disclosed. Consider whether posting to the general data room is appropriate, or whether a more limited-access method of sharing should be established. Remember that these access controls should also be developed for the internal team within the disclosing covered entity.
4. Are you my business associate? (Getting the Appropriate Agreements in Place)
The transaction diligence exception on its face addresses sharing of information between covered entities (or a soon-to-be covered entity), which necessarily means sharing among members of the entities’ workforces. However, transactions are infrequently conducted in a vacuum involving only internal players. Instead, third party advisors and vendors—for example, attorneys, investment bankers, accountants, lenders, brokers, data room providers—are often involved in the process. Whenever third parties become involved—and especially if there is the chance that they may have access to PHI—it is imperative to consider whether a Business Associate Agreement (“BAA”) is required. At times in the context of the transaction, it may be useful and appropriate for one (or all) of these third parties to have access to documents that contain PHI. If so, a BAA should be signed prior to sharing any PHI. Standard transaction confidentiality agreements are not adequate for this purpose.
In the context of health care transactions, pertinent diligence information may contain PHI—for example, documentation of a breach response, overview of claims information, compliance reports. While HIPAA starts with a baseline prohibition on the use or disclosure of PHI by covered entities and business associates, there are exceptions. One such exception permits the disclosure of PHI in transaction due diligence (within certain limits and under certain restrictions). Thus, while covered entities should be careful and deliberate in the information they disclose in the course of due diligence, they need not feel unduly confined. With careful analysis and the implementation of appropriate safeguards and procedures, relevant PHI can be shared in furtherance of the transaction.
To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: