Navigating Due Diligence in Health Care Transactions: Sensitive Information and Pitfalls

• Jurisdiction: United States,Federal
• Author: Amy Joseph, Sandi Krul, and Ben Durie
• Citation: Vol. 2015 No. 2
• Publication year: 2015

Navigating Due Diligence in Health Care Transactions: Sensitive Information and Pitfalls

Amy Joseph, Sandi Krul, and Ben Durie

- Sharing of protected health information should be restricted to the minimum necessary.
- Pre-transaction self-audits help get ahead of health care compliance issues that could derail or delay a deal.
- There is a fine line between acceptable due diligence information sharing and antitrust violations.

Acritical element of any merger, acquisition, or other joint venture, regardless of industry, is due diligence. However, navigating the due diligence process in the course of a contemplated health care transaction can include potential pitfalls for the unwary that are unique to health care, including those stemming from patient privacy requirements, compliance with complex fraud and abuse laws, and heighted antitrust attention to health care transactions. Inherently, there is some tension between operational and legal issues prior to closing a transaction. The inclination from an operational perspective may be to share more information to facilitate a smoother transition post-close, but for legal reasons the sharing of sensitive information needs to be restricted, particularly in health care transactions. This article provides an overview of the considerations to keep in mind with respect to sharing sensitive information and related issues in the health care transaction due diligence process.

Patient Privacy Considerations

The parties to a health care transaction must be cognizant of restrictions on sharing patient information during due diligence, because federal and state laws strictly govern the circumstances under which such information can be used or disclosed.

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") applies to "covered entities," which is defined to include health care providers that engage in certain electronic transactions.¹ Most health care providers are subject to HIPAA, unless operating on a cash-pay basis only. The HIPAA Privacy Rule² requires appropriate safeguards to protect the privacy of patients' protected health information ("PHI") and sets limits on the uses and disclosures of PHI without patient authorization. At the same time, the HIPAA Privacy Rule is balanced to permit disclosure of PHI where needed for treatment and other important purposes.³ Similarly, California's Confidentiality of Medical Information Act ("CMIA")⁴ restricts the use and disclosure of "medical information."⁵ The CMIA casts a wider net, and applies to providers of health care, health care service plans, and contractors.⁶

Notably, the HIPAA Privacy Rule allows for the sharing of PHI in the course of the due diligence process. Covered entities are permitted to disclose PHI without patient consent for their own "health care operations,"⁷ which is defined to include:

[Page 11]

Business management and general administrative activities of the entity, including, but not limited to: . . . sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity, and due diligence related to such activity.⁸

The CMIA does not have a corresponding section that explicitly permits the sharing of medical information for due diligence. However, the CMIA includes a catch-all provision, California Civil Code section 56.10(c)(14) ("section 56.10(c) (14)"), which provides that "information may be disclosed when the disclosure is otherwise specifically authorized by law . . . ." Pursuant to section 56.10(c)(14), health care providers subject to the CMIA can disclose medical information when authorized by HIPAA, unless another federal or state law prohibits such disclosure. Generally, this CMIA provision may be relied on to permit disclosure of medical information for due diligence. However, certain particularly sensitive information is subject to more stringent protection under federal and state laws, such as substance abuse information and certain mental health records.⁹ In such situations section 56.10(c)(14) would not apply, and the information should not be shared.

The fact that HIPAA and the CMIA generally permit the sharing of patient information during due diligence does not give a covered entity carte blanche to provide unfettered access. Rather, covered entities "must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."¹⁰ The U.S. Department of Health and Human Services ("HHS") has explained that the minimum necessary rule is "based on sound current practice that [PHI] should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function."¹¹

During the course of due diligence, health care providers and their counsel should take care to redact patient information to the extent feasible, unless the other party specifically needs a particular patient's information to conduct due diligence.¹² For example, all patient names and any other patient identifiers referenced in payor correspondence should be redacted. And as referenced previously, health care providers and their counsel should also be aware that certain particularly sensitive patient information, such as some mental health records, may be subject to more stringent protection. The process of reviewing documents for patient information can be time consuming, since it requires manual review of every document that may contain patient information, determining to what extent (if any) the patient information is necessary for due diligence purposes, and then redacting accordingly. When there is any doubt as to whether patient information should be shared, the best course of action is to err on the side of patient privacy, as situations where the other side needs a particular patient's information to evaluate the deal are far and few between.

In addition, health care providers and their counsel should ensure that the non-disclosure agreement entered into between the parties specifically addresses the handling of patient information, in addition to more generally addressing the parameters by which the parties will handle sensitive information during negotiations and the due diligence process. In response to concerns regarding exchange of patient information where a transaction...