Health Information Highlight

Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. In Part II, we reviewed considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server. Here, we address potential risk mitigation strategies when HIPAA issues are identified in the course of diligence.

It is not unusual to identify gaps or deficiencies in HIPAA compliance during the diligence process. These deficiencies can range from a lack of robust policies, procedures and employee training to inappropriate use of texting and cloud storage or failure to conduct a required security risk assessment. Several years ago when HIPAA enforcement risk was more of a secondary concern, many buyers did not take a proactive approach to remediation and assumed these areas could be addressed in the ordinary course. Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps. When a buyer encounters compliance gaps, there are various ways to mitigate this risk, several of which are discussed below:

  1. Require Compliance Actions as a Pre- or Post-Close Condition. Depending on the level of risk and exposure, buyers should consider whether addressing compliance gaps should begin prior to closing. In other instances, it may be reasonable to address compliance post-close; however, it is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.
  2. Indemnification, Escrows & Representation and Warrantee Insurance. Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance. When negotiating indemnification provisions, a buyer should consider applicable dollar caps, floors and the survival period to ensure appropriate coverage for potential future liability.
  3. Ongoing Settlements. If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close. Buyers should also ensure that the indemnification provisions from the seller are modified so as to adequately protect the buyer from undue risk or exposure.

With the continued risk of HIPAA enforcement, privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate that risk and understand the cost of protecting the target’s greatest assets.