Common HIPAA Pitfalls in Health Care Mergers and Acquisitions (and How to Identify Them)

Managing all the moving parts in a health care merger or acquisition is challenging in any transaction. For a small health care provider that does not have multiple attorneys at its beck and call, it can seem downright impossible. In the chaos of a massive exchange of due diligence materials, it is easy to overlook the additional agreements that must be executed and frameworks that must be established to ensure that the deal complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Imagine the following scenario: you are a physician running a solo practice with the help of two employees. You accepted an offer from a large group practice to buy out your practice, and it is time to move forward with the deal. In the course of due diligence, the buyer’s counsel asks you to transmit your patients’ records so you can integrate them into the buyer’s electronic medical records (EMR) system. Even though the buyer is also a covered entity, the issue of whether – and when – you can disclose the records is not black and white.

Prior to the closing, the parties should have in place a detailed framework that:

  • Specifies when and how the seller will transmit its medical records to the buyer;
  • Sets forth the steps each party must take to ensure that the transmission complies with HIPAA regulations and applicable state laws regarding medical records privacy;
  • Identifies the persons(s) responsible for integrating the two medical records systems; and
  • Includes a back-up plan in the event that the integration results in the loss or destruction of any of the seller’s data.

If possible, the framework should be a single document, or perhaps simply a chart, depending on the size and scope of the transaction. The framework is an essential item on the closing checklist in any health care merger or acquisition and should be exchanged in the course of due diligence, prior to closing.

In addition to complying with the requirements under HIPAA, the transaction may be subject to one or more state laws regarding medical records privacy. For example, Virginia law prohibits the transfer of medical records “in conjunction with the closure, sale or relocation of a professional practice until [the health care provider effectuating the transfer] has first attempted to notify the patient of the pending transfer, by mail, at the patient’s last known address, and by publishing prior notice in a newspaper of general circulation within the provider’s practice area, as specified in § 8.01-324.”[1] Other states may have similar notification requirements. Because failure to comply with state law requirements could subject the parties to liability, it is imperative that the parties review the applicable state laws when creating their framework to ensure that the transaction is compliant.

Once the framework has been established, the simplest way for the parties to hammer out these issues is by entering into a business associate agreement (BAA). The Department of Health and Human Services defines a business associate as a person or entity that performs certain functions involving the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.[2] Business associates can use and disclose PHI in accordance with the terms of their BAA.[3] Therefore, the BAA should expressly authorize the target practice to disclose its patients’ PHI to representatives of the acquiring practice for purposes of implementing the framework or as otherwise necessary in connection with the merger. Once both parties have executed the BAA, the process of transferring PHI can begin. The parties should consider incorporating the BAA into their ultimate purchase or merger agreement.

Depending on the size and scope of the transaction, the parties may be able to effectuate a HIPAA-compliant merger and successfully integrate their EMR systems with nothing more than a BAA. However, more complex transactions may necessitate additional, post-closing agreements. For example, if the buyer is purchasing only part of the target company, or if the buyer and seller do not intend to fully integrate their practices, the parties should consider executing an affiliated covered entity (ACE) agreement after the closing. To enter into an ACE Agreement, the parties must be under common ownership or control.[4] This means that the buyer either: owns at least five percent of the seller’s practice [5] or has the power to influence or control the seller’s actions and policies.[6] Thus, unlike a BAA, the ACE Agreement is not available prior to closing. The ACE Agreement is appropriate in situations where the buyer and seller can quickly streamline their operations and reach the point where they operate as a single entity. In larger transactions, that process takes more time and cannot realistically be done simultaneously with the closing.

Once the ACE Agreement is in place, the two health care practices can share PHI without violating the provisions of HIPAA.[7] The ACE Agreement allows the two practices to perform their various HIPAA obligations together under the auspices of the buyer. This means, among other things, that the practices can have one privacy officer instead of two. They can send out joint Notices of Privacy Practices. They can enter into future BAAs together, as a single unit, which may be important in the event of future mergers or acquisitions. They can adopt one set of health care privacy policies and procedures instead of two.

However, parties to an ACE Agreement are jointly and severally liable for each other’s HIPAA violations.[8] It is imperative that counsel keep that in mind when drafting the indemnification and limitation of liability provisions in an ACE Agreement. Further, before entering into an ACE Agreement, both parties need to assess their tolerance for risk. Each party to the transaction needs to perform appropriate due diligence that includes not only a thorough risk assessment of the other company, but also an evaluation of that company’s appetite for risk.

[1]See Va. Code Ann., § 54.1-2405A.

[2]See Dep’t of Health & Human Servs., Business Associates (Jul. 26, 2013),

[3] See 45 C.F.R. § 164.502(a)(3).

[4] See 45 C.F.R. § 160.105(b)(2)(i).

[5] See 45 C.F.R. § 160.103.

[6] See 45 C.F.R. § 160.103.

[7] See 45 C.F.R. § 164.105(b)(2)(ii).

[8] See 45 C.F.R. § 160.402(b)(2).