Tony Kong and Matt Sondag, September 2013
The importance of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is undeniable – protecting an individual’s personal health information is a vital responsibility for any organisation in the healthcare space. Doctors and hospitals (‘covered entities’ in HIPAA lingo) have been doing this for decades, building a trust level with patients. But, for service providers that work with healthcare providers and payers, and especially private equity firms that invest in companies that serve healthcare providers and payers, HIPAA is overwhelmingly complex and, quite frankly, intimidating.
The Center for Medicaid and Medicare Services (CMS) and Health and Human Services (HHS) established the overall policy and governance for HIPAA. According to CMS, the definition of a Covered Entity (CE) is: (i) a healthcare provider that conducts certain transactions in electronic form (such as claims transactions, electronic prescriptions, and transmitting patient data electronically); and (ii) a healthcare clearinghouse (an organisation that serves and processes EDI transactions, such as claims transactions, eligibility verification, claims status, and remittance vouchers).
Providers and payers have been required to comply with HIPAA regulations since 1996, but in 2009 HIPAA compliance requirements were extended to organisations who are service providers to healthcare providers and payers (Covered Entities) as part of the American Recover and Reinvest Act’s (ARRA) electronic medical record (EMR) initiatives. This was done to provide additional security around patients’ Protected Health Information (PHI) as providers implement EMR systems.
Service providers to covered entities were mandated to sign BAA (Business Associate Agreements) in 2009, therefore making these companies liable under the same HIPAA compliance requirements, and subject to the same level of fines as a covered entity.
HIPAA has been around for years: what’s changed?
In 2012, the HIPAA governing body, HHS, spent $12m to hire a consulting firm to conduct ‘pilot’ compliance audits with covered entities. A year later, the HHS tripled its spend to $40m to audit a larger number of covered entities and business associates. The fines for violations discovered during the audits range from $50,000 up to $1.5m.
During the 2012 audits, one of the most common violations was a lack of encrypted laptops, desktops, tablets and smartphones. It’s an addressable requirement, which means you either have to do it or have a good reason for not doing it (and, therefore, have an equivalent, alternative protection in place). It’s a very low cost item and straightforward to implement, but often ignored.
In one recent case, an employee’s mobile device was stolen in a bar, which triggered an investigation and led to an initial fine of $25,000 due to: (i) failure to have adequate HIPAA compliance policies and procedures as administrative safeguards; (ii) failure to complete HIPAA security training for their staff; (iii) failure to implement access controls as physical safeguards; and (iv) failure to encrypt the information on the device or have an equivalent protection.
However, follow-up audits showed they continued to be out of compliance so the maximum fine of $1.5m was levied against the organisation. These fines are real and companies are feeling monetary pain.
Implement safeguards now to avoid costly penalties later
Private equity firms are, in a sense, two degrees removed from any patient interaction. And yet, if HIPAA isn’t top of mind, it can derail a deal or put your portfolio company in the red. So, how can private equity firms understand the intricacies of what constitutes protected health information, what safeguards need to be in place, and how to manage these controls on an ongoing basis? Without teams and compliance experts on staff, who takes ownership?
Smart private equity firms should implement simple safeguards to protect their investments, as outlined below.
Do your homework early.Conduct a thorough HIPAA due diligence and technical vulnerability scan analysis prior to a transaction to understand your target company’s HIPAA readiness in case of an audit. An initial investment in this readiness review can mitigate your risk and potential fines for gaps discovered during subsequent audits. Evaluate and select the right resources to address the administrative, physical and technical controls required and implement them effectively.
Put it in writing. Make sure that HIPAA compliance policies are documented and communicated effectively.
Get everyone on the same page.Conduct training with staff so they understand the importance of HIPAA compliance, as well as the severe penalties associated with non-compliance.
Lock up your devices.Implement access controls for all systems that contain PHI; this includes encrypting all technology in case of loss or theft. With the growth and remote use of mobile devices, tablets, and laptops by employees, this is one of the biggest vulnerabilities to all companies regardless of size. In addition to ensuring encryption of these devices, CIOs, at a minimum, must: (i) have written device security policies and procedures; (ii) hold annual device training sessions with all employees; and (iii) implement system tools and procedures to enforce compliance with these policies and procedures.
Through our work with clients and work on M&A transactions, we have yet to encounter a single mid-market organisation that is fully confident it is ready for a random audit. The frequency of audits is increasing, as are the fines associated with violations, meaning that HIPAA HITECH compliance continues to be a thorn for many companies, especially those under $100m in revenue.
If you are evaluating a new deal or an existing portfolio company that is a business associate to covered entities, you should consider investing in a HIPAA readiness assessment and a technical vulnerability scan analysis.
This will determine the current state of the company’s HIPAA readiness, and serve as a preparatory exercise in the event of a random audit. Often, a readiness review acts as a catalyst for the company to spring into action and prioritize the work needed to address any gaps in administrative, physical and technical controls.