Buyers of distressed companies typically prefer to conduct their acquisitions through bankruptcy. Various provisions of the Bankruptcy Code and Rules allow a buyer to acquire assets free and clear of a wide array of liabilities. By making previously undesirable and worthless companies valuable, the Bankruptcy Code maximizes value, maintains the distressed business as a going concern, and produces recoveries to creditors where none could previously exist.
Where the target of a bankruptcy acquisition is a distressed health care provider, however, great care is required in order to ensure compatibility of the bankruptcy acquisition model with the regulatory regime governing health care companies. Health care providers operate in a highly complex and highly regulated industry. The myriad federal and state statutes and regulations applicable to health care companies can often conflict, or even collide, with the unique rules that apply to the sale of companies in bankruptcy. One such area of conflict concerns the intersection between the Bankruptcy Code’s provisions of sales under § 363 with HIPAA, a federal statute that, among other things, sets national standards for dealing with sensitive patient data.
HIPAA stands for the Health Insurance Portability and Accountability Act. Signed by President Clinton in 1996, the primary purposes of HIPAA are to: (1) ensure health insurance portability to employees changing jobs; (2) reduce health care fraud and abuse; (3) enforce standards for the electronic transmission of health care information; and (4) enhance the security and privacy of health information.
The provisions of HIPAA concerning the fourth and final purpose of the law — enhancing the security and privacy of health information — present unique problems in § 363 sales. There are two basic rules under HIPAA concerning the security and privacy of health information relevant to the acquisition of distressed health care entities. The Privacy Rule sets standards for when protected health information (PHI) may be used and disclosed. The Security Rule specifies safeguards and processes with which covered entities (providers, health plans and health care clearinghouses) must comply in order to protect and safeguard their PHI. In dealing with the Privacy Rule and Security Rule in a distressed health care acquisition, the rule of concern depends on the phase of transaction.
At the diligence phase, the acquirer should be concerned about the provisions of the Privacy Rule prohibiting the disclosure of PHI. The Privacy Rule presents a conflict in § 363 sales because, as a general matter, a debtor seeking to sell its assets in bankruptcy must conduct an open and fair process in which all parties are entitled to conduct due diligence and participate in the sale process. While the openness of the sale process makes sense in most industries, it can be problematic where the target is a health care provider because a health care provider certainly has PHI protected by the Privacy Rule. In allowing potential buyers to conduct due diligence, the seller has to take care not to disclose PHI in a manner prohibited by the Privacy Rule. This creates a big problem for both the buyer and the seller, because PHI can include patient lists, payor information and other critical data that the buyer needs in order to assess the acquisition opportunity.
There are, however, mechanisms available to allow a robust due diligence process while also treating PHI in accordance with the Privacy Rule. First, the seller generally has a “notice of privacy practices” that it previously provided to the individual health care consumers whose PHI it holds. Ideally, that notice would have had a due diligence out that says the provider can share PHI on confidential terms in the context of an acquisition.
If there is no clear exception for disclosing PHI in the due diligence process in the seller’s notice of privacy practices, PHI must be handled under an exception to the Privacy Rule. While the Privacy Rule generally requires that PHI not be disclosed, under one exception to the privacy rule, a provider can disclose PHI without the patient’s permission “for purposes of treatment, payment, or health care operations.”[1]
The “health care operations” provision of this exception is critical. Under HIPAA, “health care operations” may include the sale, transfer, merger or consolidation of all or part of a covered entity (as defined under HIPAA) with all or part of another covered entity, or an entity that will become a covered entity upon the closing of the transaction.[2] It also includes due diligence with respect to the same.[3] By availing itself of this important exception to the Privacy Rule, the a seller can provide PHI to potential bidders while remaining in compliance with HIPAA.
When the seller is disclosing its PHI in accordance with the health care operations exception to the Privacy Rule, it is important that bidders also be required to safeguard the PHI and not use it for an improper purpose in order to avoid running afoul of the rule. In a bankruptcy sale, the precise contours of how PHI will be treated should always be addressed in the Bid Procedures Order entered by the court and in each NDA executed by potential buyers. If the Bid Procedures Order and NDA directly address how PHI will be treated throughout the diligence process and impose mandatory obligations on all bidders who receive PHI with respect to how such information will be safeguarded in the diligence process, the seller can safely disclose PHI in accordance with the health care operations exception to the Privacy Rule.
The second rule under HIPAA governing PHI, the Security Rule, becomes a concern not at the due diligence phase but rather as the parties approach the actual closing of the acquisition. The Security Rule specifies safeguards and processes that covered entities must comply with in order to protect and safeguard PHI. For example, terminals providing access to PHI should not be left in unsecured hallways or without password protection.
A buyer should be concerned with the Security Rule because the main purpose of using § 363 to acquire the target is avoiding the assumption of liability as part of the sale, and a Security Rule violation can compromise that essential purpose. If the buyer is not already a covered entity to which the Security Rule applies, the buyer will become one once the transaction closes and the buyer takes possession of the seller’s PHI. If the buyer takes over the seller’s PHI under conditions in which the PHI is not being maintained in accordance with the Security Rule, the buyer may become liable for a HIPAA violation upon the closing of the sale, thus thwarting the “free and clear” purpose of the § 363 sale.
To avoid the unintentional assumption of this serious liability, the buyer should carefully review the seller’s processes and procedures regarding the maintenance and security of PHI prior to closing to ensure compliance with the Security Rule. The buyer should make any adjustments on or prior to the closing date necessary to ensure that, upon the closing and the transfer of the seller’s PHI to the buyer, the PHI is secured and maintained in a manner compliant with the security rule. Otherwise, the buyer will not be acquiring the PHI “free and clear”; it will be acquiring a significant HIPAA liability.
The provisions of the Bankruptcy Code and rules governing the acquisition of distressed companies through § 363 sales are not completely incompatible with the complex regulations governing health care companies. If due care and attention are given to reconciling these sometimes conflicting regimes, the value-maximizing magic of the Bankruptcy Code can apply in a distressed health care acquisition just as in any other transaction.