OCR Settlement Underscores the Importance of HIPAA Privacy and Security Review in Transactional Due Diligence
On April 28, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) entered into a resolution agreement with Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate) in which Peachstate agreed to pay £25,000 to settle allegations of non-compliance with the HIPAA Rules. OCR’s compliance review and findings arose from a breach that did not involve Peachstate at all.
The Veterans Health Administration (VHA) notified OCR in January 2015 of a breach of unsecured Protected Health Information (PHI) affecting over 7,000 patients participating in VHA’s telehealth program. The breach was caused by a security lapse in the public-facing website of AuthentiDate Holding Corporation (AuthentiDate), which was the VHA’s business associate and telehealth vendor.
Following its receipt of the breach notice, OCR began to review the business associate’s compliance with HIPAA. In the course of its review, OCR became aware that AuthentiDate acquired Peachstate through a merger in January 2016. OCR opened an additional compliance review of Peachstate and found several potential violations of the HIPAA Security Rule. These findings included failure to conduct a security risk analysis to determine threats to electronic PHI, absence of procedures to conduct appropriate information systems activity review, and lack of documented security policies.
In addition to paying the £25,000 settlement, Peachstate entered into a Corrective Action Plan (CAP), under which it agreed, among other things, to conduct a comprehensive security risk analysis and implement a risk management plan.
Enforcement Against Business Associates
OCR may impose direct liability on business associates for failure to comply with the HIPAA Rules. Historically, OCR has enforced relatively few violations against business associates but instead has focused more heavily on the compliance of covered entities.
HIPAA Compliance Risks Arising In Connection with Deal Activity
In this case, the breach of unsecured PHI that triggered OCR’s review occurred a full year before Peachstate was acquired by AuthentiDate. The settlement and CAP serve as a reminder to covered entities, business associates and other purchasers (for example, private equity funds) of the importance of performing meaningful HIPAA privacy and security due diligence activities, including understanding and assessing possible risks to the confidentiality, integrity and availability of PHI.
When conducting due diligence, buyers should thoroughly review a target’s HIPAA compliance program, including administrative, physical and technical safeguards to protect electronic PHI from unauthorized disclosure. If deficiencies are identified and remediation is not feasible to complete before the transaction, purchasers should consider documenting proposed steps and a timeline for implementing measures to reduce known risks to a reasonable and appropriate level.