Corporate Insights: Disclosing PHI Upon the Sale of a Medical Practice
The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”) states that, absent patient authorization, a patient’s Protected Health Information (“PHI”) may not be disclosed to another Covered Entity (as defined by HIPAA) without a direct or indirect treatment relationship with the patient. However, an exception exists where patient authorization is not required in certain instances for treatment, payment, or health care operations. Specifically, HIPAA allows disclosure for:
[b]usiness management and general administrative activities of the entity, including, but not limited to, … (iv) the sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity (emphasis added).
The U.S. Department of Health and Human Services (“HHS”), which oversees HIPAA, expressly stated that health care operations include PHI shared during due diligence along with the physical transferring of such information upon the conclusion of the transaction. In particular, HHS stated:
Under the final definition of “health care operation,” a covered entity may use or disclose protected health information in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon completion of the transaction; and to conduct due diligence in connection with such transaction. The modification makes clear it is also a health care operation to transfer records containing protected health information as part of the transaction. (emphasis added).
As noted in the emphasized text, HHS limits the definition to the sharing or transferring of PHI to an entity that is or will be a Covered Entity upon completion of the transaction. The new owner may then use that PHI because it continues to be protected under HIPAA as it was prior to the transfer.
At present, there is little guidance on whether such disclosure fits within the definition of Health Care Operations if the transaction is not consummated, or if the receiving party is not a Covered Entity and will not be one at the conclusion of the transaction.
HIPAA Covered Entities should consider the following to mitigate risk in the sale of a medical practice.
1. Prior to due diligence, the parties should negotiate what information will be needed, in what format it is needed, what components of the information may be redacted, and which parties and advisors will have access to the information. The parties should then reduce this understanding into the letter of intent so that it incorporates the parties’ respective rights and obligations under HIPAA. An example would be:
In accordance with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”), any Private Health Information (“PHI”) that is shared with [entity name] under the health care operations exemption to HIPAA shall be limited to individuals with a need to know; such records shall be secured in a file or practice management system that restricts access and otherwise complies with the HIPAA security standards.
2. The parties should include within the confidentiality agreement how the information will be handled in the event the transaction is not consummated so as to ensure prompt return and/or destruction of the information, and the maintenance (without use) of any information that cannot be returned or destroyed. An example would be:
In the event the contemplated transaction is not consummated on or before [date] then [entity name] shall return or destroy such records in accordance with HIPAA.
3. Early in the due diligence process, the parties should determine if PHI to be disclosed includes substance use disorder (“SUD”) treatment records subject to the strict requirements of the federal Substance Abuse and Mental Health Services Administration (“SAMHSA”). The SAMHSA regulations impose stricter privacy requirements than HIPAA, so the parties to the transaction may want to consider whether such records need to be disclosed, or whether due diligence can proceed with the use of aggregated SUD treatment records.
4. Ascertain if there are any state confidentiality or privacy laws that may restrict or otherwise limit disclosure.
Categorized: Corporate Insights, Publications
Tagged In: mergers and acquisitions, Protected Health Information, health care operation, HIPAA Covered Entity