Although the Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 may not be at the top of mind during a merger or acquisition, privacy and security counsel in a healthcare transaction is essential to ensuring that the business meets its goals and stays compliant with HIPAA regulatory obligations. This article outlines items to consider during the mergers and acquisitions (M&A) process to ensure that protected health information (PHI) is safeguarded. Whether the transaction is among multiple covered entities (e.g. a provider system with clinics, hospitals, and a health plan), or a mix of covered entities, hybrid entities, and non-covered entities, careful consideration needs to be taken before choosing a framework to remain compliant with HIPAA. The following sections address pre-close and due diligence considerations, compare three approaches to crafting a framework, and evaluate positives and negatives of each one.
During pre-close, attorneys should gather privacy-related background information. First, they can create a list of key materials to exchange during due diligence. This list can supplement or partially replace a list created by M&A counsel. Attorneys can use the items on the list to better understand organizational structure, HIPAA privacy and security program sophistication, and related risk. M&A counsel will likely have current joint ventures, high-dollar administrative services contracts, and corporate organizational structure topics on the due diligence list. Attorneys working on HIPAA matters should review such documents to inform the wider picture of the organizational structure and business goals. If the current compliance program is not already on the due diligence list, attorneys should request information about it, with detail on HIPAA compliance, as this helps evaluate program sophistication and related risk. The information gathered in due diligence should include privacy and security policies and procedures, reports of non-compliance, reports to the Department of Health and Human Services and states of improper data access or release, any in-force corrective action plans, and compliance committee and sub-committee information. Attorneys must request information on current and pending litigation and results from ongoing and recently concluded audits to further flesh out the risk assessment. The two-way exchange of information allows both sides to better craft a post-close framework.
The organization’s post-close goals and expectations, including timelines, drive the HIPAA framework. Assume a key reason for an acquisition is operational efficiency gains leading to lower administrative costs reflected six months post-close and beyond. With that goal in mind, an attorney can support the organization by focusing on HIPAA structures that allow for data sharing and consolidated privacy program administration as soon as possible. Healthcare transactions commonly bring former competitors together as part of the same corporate family. Realistic expectations regarding timelines and potential cultural barriers to success can mean that an attorney should craft a tiered approach to implementing a HIPAA framework. For example, a group of former competitors’ shifting to a single instance of an electronic health record will not successfully happen overnight. A tiered approach of business associate agreements (BAAs) first followed by an Affiliated Covered Entity (ACE) agreement can allow for prolonged integration, an essential base for future organizational success.
Equipped with background information, organizational goals, expectations and timelines, the attorney should use the rest of the pre-close period to gather key internal information that was not exchanged during due diligence. Federal and state antitrust laws and regulations generally prohibit detailed discussions with current competitors involving competitively sensitive items. There is no prohibition on gathering and readying such information for exchange prior to the close of the transaction, when parties can freely exchange information. Attorneys should gather and evaluate template contracts (e.g. BAAs, Trading Partner agreements), and key executed HIPAA structure agreements (e.g. any Organized Health Care Arrangement (OHCA) agreements, ACE agreements), as those can change upon close depending on deal structure. A merger, for example, can necessitate a wide scale re-contracting effort depending on template contract language and the new organizational structure. Contract evaluation should focus on change of control and related notice requirements. Note that certain contracts, particularly government contracts, contain pre-change in control notice clauses. Depending on the role an attorney serves, the attorney may also want to ready an organizational chart that outlines HIPAA subject matter experts and workflows so staff know who to work with the first day post-close.
It is recommended to refrain from post-close corporate structure analysis and potential privacy framework options until it’s clear that the structure is solidified. Commonly, due to federal and state regulatory approvals or simply sticking points during negotiation, such structure will not be finalized until closer to the target closing date. Attorneys working mainly on HIPAA matters may not be frequently updated on the various iterations of the proposed transaction. The final structure provides the final information needed to evaluate the best HIPAA framework choice for the entities.
Evaluating Framework Options
Organized Health Care Arrangement: Shared Healthcare Operations, Multiple Covered Entities
An OHCA is a strong choice for organizations with multiple types of covered entities that want to share PHI for operational reasons but not jointly perform other HIPAA-required functions. OHCAs can take many forms, including arrangements with multiple types of covered entities performing different services:
- A clinically integrated care setting in which individuals typically receive healthcare from more than one healthcare provider
- An organized system of healthcare in which more than one covered entity participates and in which the participating covered entities:
- Hold themselves out to the public as participating in a joint arrangement; and,
- Participate in joint activities that include at least one of the following:
- Utilization review, where healthcare decisions by participating covered entities are reviewed by other participating covered entities or a third party on their behalf
- Quality assessment and improvement activities where treatment provided by participating covered entities is assessed by other participating covered entities or a third party on their behalf
- Payment activities, if financial risk is shared in whole or in part by covered entities through the joint arrangement and if PHI is reviewed by other participating covered entities or a third party on their behalf
- A group health plan and an insurance issuer or HMO (for PHI created or received by the issuer or HMO related to individuals who are/have been participants/beneficiaries under the plan)
- A group health plan and one or more group health plans maintained by the same plan sponsor
- One or more group health plans maintained by the same plan sponsor and health insurance issuers or HMOs with respect to such group health plans (for PHI created or received by the issuers or HMOs related to individuals who are/have been participants/beneficiaries under the plans) .2
An OHCA allows participating covered entities to share PHI for any healthcare operations activities of the OHCA.3 The broad regulatory definition of “healthcare operations” means that OHCA-participating entities can share PHI for a wide range of purposes.4 These include but are not limited to business management of the entity, quality assessment and improvement activities, and training and credentialing. HIPAA covered entities are required to issue NPPs to provide to patients a clear explanation of privacy practices and rights related to PHI. Covered entities participating in an OHCA can issue a joint Notice of Privacy Practices (NPP), but are not required to.5 There are no control or ownership requirements associated with an OHCA. There is no regulatory joint assumption of risk or liability when entering into an OHCA. Parties to the OHCA are not required to enter into BAAs with each other when providing certain services for or on behalf of the OHCA.6
An attorney should first evaluate whether the organizations seeking to share PHI fit into at least one of the permitted OHCA forms. It’s possible that OHCA requirements will be met in the future – after a marketing campaign, or shift in staff – but are not at the current time. The attorney should also determine whether the definition of “healthcare operations” is sufficiently broad to encompass the desired data sharing. An OHCA won’t be sufficient for organizations interested in sharing data for other purposes. However, an OHCA can serve as a goal to meet; an organizational “win” once operations are sufficiently integrated.
The OHCA is an attractive choice for entities that are not under common ownership or control but still participate in joint healthcare operations. The OHCA allows for free transmission of PHI for any healthcare operations, even if the parties to the OHCA are different types of covered entities. An OHCA can eliminate administrative overhead by eliminating the need for parties to enter into BAAs with each other. Overhead is also cut if OHCA parties choose to issue a joint NPP and/or implement a streamlined authorization process with joint authorizations. OHCA parties can name one privacy officer and related contact information in the NPP, and can integrate staff response and related policies and procedures. Liability for violations should be addressed in the OHCA. HIPAA regulations do not address OHCA liability.
Affiliated Covered Entity Agreement: Common Ownership/Control, Streamlined Operations – “We are One”
An ACE is a good choice for HIPAA covered entities under common ownership or control that want to operationalize as one covered entity. Legally distinct covered entities that are affiliated may designate themselves as a single covered entity through an ACE.7 Here, “affiliated” means that the covered entities are under common ownership or control.8 Common ownership exists when an entity possesses an ownership or equity interest in another entity of five percent or more.9 Common control exists if an entity has the power, directly or indirectly, to significantly influence or direct the actions or policies of another entity.10
ACE parties that are the same type of covered entity (i.e. are all health plans, or are all health care providers) can freely share PHI for any purpose. Note that ACE parties that are not the same type of covered entity do not have the same latitude.11 They are restricted to sharing PHI among different types of covered entity only when an individual receives services from both.12 ACE parties can also jointly perform all HIPAA regulatory requirements, including adopting one set of policies and procedures, one privacy officer, one NPP and one authorization; jointly entering into BAAs; and conducting a common training program.
ACE parties are, by regulation, jointly and severally liable for civil monetary penalties for violations related to acts or omissions of the ACE.13 HIPAA provides for an exception is if it is established that another party to the ACE was responsible for the violation.14 Executives should provide input on risk appetite and limitation of HIPAA liability across ACE parties. Attorneys can craft liability and indemnification provisions accordingly. Note that the Office for Civil Rights of the Department of Health and Human Services (OCR) will name and incorporate ACE parties in settlements. In 2013 OCR settled with WellPoint, Inc., and named 44 other covered entities party to the ACE in the settlement.15
Attorneys must evaluate whether the ACE parties share common ownership and control. The low common ownership requirement and broad definition of covered control make this a low bar. Attorneys should also evaluate the types of covered entities that want to share PHI under the ACE. An ACE is not a good choice for multiple types of covered entities that want to share PHI outside of an individual’s service encounters. The largest issue is whether ACE parties are ready from an organizational integration perspective to act as one. Organizations can gain greater efficiencies by streamlining operations per the ACE, with one privacy officer, one NPP and related authorizations, one template BAA, one concerted BAA contracting effort, etc. An ACE Agreement may more realistically be a goal for 12-18 months post-close. Organizations, especially former competitors, may need additional time to agree upon staffing, language in the NPP and notices, and the approach to contracting and BAAs.
Business Associate Agreement: Interim Solution for Covered Entities, Long-Term Solution for Others
A BAA can serve as an interim solution for covered entities not yet ready for an ACE or OHCA, and a longer-term solution for contracting with non-covered entities in the corporate family. It’s possible that transaction timing necessitates a data sharing solution that doesn’t involve wider discussions of risk or aligning operations. There is also no joint ownership or control requirement for establishing a Business Associate (BA) relationship. Instead, a BA is a person/entity who, on behalf of a covered entity or OHCA, creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA. The definition of BA also includes a person/entity who uses PHI when providing certain services to or for a covered entity or OHCA (e.g. legal, actuarial, or consulting services). When a BA relationship exists, the covered entity and BA must enter into a BAA.16
BAs can use or disclose PHI as permitted or required by the BAA with the covered entity.17 While many details of the post-close world may not be known, it’s likely that key operations and services agreements are memorialized at or shortly after close. An attorney can tie a BAA back to such an agreement through the purpose statement, and include the BAA itself in closing documents. A covered entity is liable, in accordance with the federal common law of agency, for a civil monetary penalty for a violation based on the act or omission of any agent of the covered entity, including a BA, acting within the scope of the agency.18 The existence of other agreements and wider corporate goals can guide any HIPAA liability discussions and BAA terms.
Attorneys should evaluate whether the relationships between entities meet the BA definition requirements. If so, attorneys can then determine how best to use BAAs to meet organizational goals on a tiered basis. It’s likely that in the first 30 days post-close, entities will start integrating operations by sharing some PHI. A BA linked to an underlying service agreement can be the basis for PHI in the more immediate post-close period. Attorneys can then work with business teams to transition BAAs to other agreement options, as outlined above. Attorneys should also evaluate how BAs can link non-covered entities in corporate families to the covered entities. For example, ACE parties can jointly enter into a BA with a non-covered entity in the corporate family that provides administrative services, such as claims processing.
Through prior planning and evaluation, privacy and security attorneys can ensure HIPAA compliance post-merger, acquisition or transaction. HIPAA provides a range of options to meet the business’s goals and timelines.
- 45 C.F.R. Parts 160, 162, 164.
- 45 C.F.R. § 160.103.
- 45 C.F.R. § 164.506(c)(5).
- 45 C.F.R. § 164.501.
- 45 C.F.R. § 164.520(d).
- 45 C.F.R. § 160.103.
- 45 C.F.R. § 164.105(b)(1); 45 C.F.R § 164.105(c)(1).
- 45 C.F.R. § 160.105(b)(2)(i).
- 45 C.F.R. § 160.103.
- 45 C.F.R. §164.105(b)(2)(ii).
- 45 C.F.R. §164.504(g).
- 45 C.F.R. § 160.402(b)(2).
- United Stated Department of Health and Human Services, Resolution Agreement, (July 8, 2013), http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.pdf (accessed August 12, 2017).
- 45 C.F.R. § 164.504(e).
- 45 C.F.R. § 164.502(a)(3).
- 45 C.F.R. § 160.402(c)(1).