Health Information Highlight

Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I of this series, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. Here, we review considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server.

For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company’s documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation. In the case of disclosure of protected health information (PHI) in a healthcare transaction, HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike.

There are a number of ways to minimize the risk of inadvertent unauthorized disclosure:

1. Consider Restricted Access. The uploading party can restrict the access of unauthorized parties to uploaded PHI by either (a) preparing separate data rooms with PHI for authorized parties and with no PHI for unauthorized parties, or (b) if the data room’s user features permit, restricting access to unauthorized parties to certain documents or folders which may contain PHI. Prior to permitting or restricting access, a covered entity uploading its data should review and categorize its relationship with each accessing party for HIPAA purposes. All parties accessing data should enter into and be bound by certain confidentiality provisions relative to the data, which may include putting into place a Business Associate Agreement (BAA).

2. Remove Patient Identifiers. Alternatively, prior to uploading any data into the room, ensure that the uploading party scrubs all data and financials of any patient identifiers and only uploads “clean” versions of documents. The uploading party could also elect to provide “model” contracts rather than contracts which might disclose PHI. With respect to provider financial data, which may have patient detail containing PHI identifying a patient, this process may be a particularly time-consuming investment in resources.  Regardless, the up-front investment in cleaning data prior to uploading would reduce the risk of disclosing any actual PHI.

3. Secure Data Rooms. Choose a secure data room provider which complies with data protection laws. Services such as popular file-sharing applications may be exceedingly simple to set up, share, and have no costs, however, many such cloud providers may not have appropriate security or data protection measures in place and may increase the risk of unauthorized access.

Stay tuned for Part Three where we will examine HIPAA risk mitigation strategies.