Although the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may not be at the top of mind during a merger or acquisition, privacy and security counsel in a healthcare transaction is essential to ensuring that the business meets its goals and stays compliant with HIPAA regulatory obligations. This article outlines items to consider during the mergers and acquisitions (M&A) process to ensure that protected health information (PHI) is safeguarded. Whether the transaction is among multiple covered entities (e.g. a provider system with clinics, hospitals, and a health plan), or a mix of covered entities, hybrid entities, and non-covered entities, careful consideration needs to be taken before choosing a framework to remain compliant with HIPAA. The following sections address pre-close and due diligence considerations, compare three approaches to crafting a framework, and evaluate positives and negatives of each one.
Pre-Close
During pre-close, attorneys should gather privacy-related background information. First, they can create a list of key materials to exchange during due diligence. This list can supplement or partially replace a list created by M&A counsel. Attorneys can use the items on the list to better understand organizational structure, HIPAA privacy and security program sophistication, and related risk. M&A counsel will likely have current joint ventures, high-dollar administrative services contracts, and corporate organizational structure topics on the due diligence list. Attorneys working on HIPAA matters should review such documents to inform the wider picture of the organizational structure and business goals. If the current compliance program is not already on the due diligence list, attorneys should request information about it, with detail on HIPAA compliance, as this helps evaluate program sophistication and related risk. The information gathered in due diligence should include privacy and security policies and procedures, reports of non-compliance, reports to the Department of Health and Human Services and states of improper data access or release, any in-force corrective action plans, and compliance committee and sub-committee information. Attorneys must request information on current and pending litigation and results from ongoing and recently concluded audits to further flesh out the risk assessment. The two-way exchange of information allows both sides to better craft a post-close framework.
The organization’s post-close goals and expectations, including timelines, drive the HIPAA framework. Assume a key reason for an acquisition is operational efficiency gains leading to lower administrative costs reflected six months post-close and beyond. With that goal in mind, an attorney can support the organization by focusing on HIPAA structures that allow for data sharing and consolidated privacy program administration as soon as possible. Healthcare transactions commonly bring former competitors together as part of the same corporate family. Realistic expectations regarding timelines and potential cultural barriers to success can mean that an attorney should craft a tiered approach to implementing a HIPAA framework. For example, a group of former competitors’ shifting to a single instance of an electronic health record will not successfully happen overnight. A tiered approach of business associate agreements (BAAs) first followed by an Affiliated Covered Entity (ACE) agreement can allow for prolonged integration, an essential base for future organizational success.
Equipped with background information, organizational goals, expectations and timelines, the attorney should use the rest of the pre-close period to gather key internal information that was not exchanged during due diligence. Federal and state antitrust laws and regulations generally prohibit detailed discussions with current competitors involving competitively sensitive items. There is no prohibition on gathering and readying such information for exchange prior to the close of the transaction, when parties can freely exchange information. Attorneys should gather and evaluate template contracts (e.g. BAAs, Trading Partner agreements), and key executed HIPAA structure agreements (e.g. any Organized Health Care Arrangement (OHCA) agreements, ACE agreements), as those can change upon close depending on deal structure. A merger, for example, can necessitate a wide scale re-contracting effort depending on template contract language and the new organizational structure. Contract evaluation should focus on change of control and related notice requirements. Note that certain contracts, particularly government contracts, contain pre-change in control notice clauses. Depending on the role an attorney serves, the attorney may also want to ready an organizational chart that outlines HIPAA subject matter experts and workflows so staff know who to work with the first day post-close.
It is recommended to refrain from post-close corporate structure analysis and potential privacy framework options until it’s clear that the structure is solidified. Commonly, due to federal and state regulatory approvals or simply sticking points during negotiation, such structure will not be finalized until closer to the target closing date. Attorneys working mainly on HIPAA matters may not be frequently updated on the various iterations of the proposed transaction. The final structure provides the final information needed to evaluate the best HIPAA framework choice for the entities.
Evaluating Framework Options
Organized Health Care Arrangement: Shared Healthcare Operations, Multiple Covered Entities
An OHCA is a strong choice for organizations with multiple types of covered entities that want to share PHI for operational reasons but not jointly perform other HIPAA-required functions. OHCAs can take many forms, including arrangements with multiple types of covered entities performing different services:
- A clinically integrated care setting in which individuals typically receive healthcare from more than one healthcare provider
- An organized system of healthcare in which more than one covered entity participates and in which the participating covered entities:
- Hold themselves out to the public as participating in a joint arrangement; and,
- Participate in joint activities that include at least one of the following:
- Utilization review, where healthcare decisions by participating covered entities are reviewed by other participating covered entities or a third party on their behalf
- Quality assessment and improvement activities where treatment provided by participating covered entities is assessed by other participating covered entities or a third party on their behalf
- Payment activities, if financial risk is shared in whole or in part by covered entities through the joint arrangement and if PHI is reviewed by other participating covered entities or a third party on their behalf
- A group health plan and an insurance issuer or HMO (for PHI created or received by the issuer or HMO related to individuals who are/have been participants/beneficiaries under the plan)
- A group health plan and one or more group health plans maintained by the same plan sponsor
- One or more group health plans maintained by the same plan sponsor and health insurance issuers or HMOs with respect to such group health plans (for PHI created or received by the issuers or HMOs related to individuals who are/have been participants/beneficiaries under the plans).
An OHCA allows participating covered entities to share PHI for any healthcare operations activities of the OHCA. The broad regulatory definition of “healthcare operations” means that OHCA-participating entities can share PHI for a wide range of purposes. These include but are not limited to business management of the entity, quality assessment and improvement activities, and training and credentialing. HIPAA covered entities are required to issue NPPs to provide to patients a clear explanation of privacy practices and rights related to PHI. Covered entities participating in an OHCA can issue a joint Notice of Privacy Practices (NPP), but are not required to. There are no control or ownership requirements associated with an OHCA. There is no regulatory joint assumption of risk or liability when entering into an OHCA. Parties to the OHCA are not required to enter into BAAs with each other when providing certain services for or on behalf of the OHCA.
An attorney should first evaluate whether the organizations seeking to share PHI fit into at least one of the permitted OHCA forms. It’s possible that OHCA requirements will be met in the future – after a marketing campaign, or shift in staff – but are not at the current time. The attorney should also determine whether the definition of “healthcare operations” is sufficiently broad to encompass the desired data sharing. An OHCA won’t be sufficient for organizations interested in sharing data for other purposes. However, an OHCA can serve as a goal to meet; an organizational “win” once operations are sufficiently integrated.
The OHCA is an attractive choice for entities that are not under common ownership or control but still participate in joint healthcare operations. The OHCA allows for free transmission of PHI for any healthcare operations, even if the parties to the OHCA are different types of covered entities. An OHCA can eliminate administrative overhead by eliminating the need for parties to enter into BAAs with each other. Overhead is also cut if OHCA parties choose to issue a joint NPP and/or implement a streamlined authorization process with joint authorizations. OHCA parties can name one privacy officer and related contact information in the NPP, and can integrate staff response and related policies and procedures. Liability for violations should be addressed in the OHCA. HIPAA regulations do not address OHCA liability.