As any bankruptcy practitioner knows, laws other than the provisions of the Bankruptcy Code can significantly impact a debtor’s reorganization. Indeed, bankruptcy trustees and debtors-in-possession must conduct the debtor’s operations in accordance with applicable nonbankruptcy law.[1] It should come as no surprise, therefore, that laws regulating health care providers and insurers can significantly impact the reorganization of health care debtors. One such law is the Health Insurance Portability and Accounting Act of 1996, as it has been amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (hereafter, as so amended, “HIPAA”). This article will address the impact of HIPAA on the reorganization of healthcare providers.
HIPAA Data Breaches and Bankruptcy
HIPAA’s impact on the reorganization of health care providers is likely to remain important as they continue to suffer data security breaches. The information protected by HIPAA (PHI) is even more valuable than easily replaceable credit card information and makes health care providers tempting targets for cyberattackers. Health care providers remain relatively unprepared to thwart cyberattacks. The explosion in the use of mobile electronic devices connected both to health care providers’ information systems and the internet by health care personnel in providing health care (e.g., smartphones, infusion pumps, defibrillators or pacemakers) has only increased the vulnerability of health care providers to cyberattacks.[2] Additionally, the actions of negligent,[3] poorly trained (e.g., the admissions clerk who clicks on a link and facilitates a phishing attack) or rogue[4] employees can result in an unauthorized use or disclosure of PHI.
Many participants in the health care industry have suffered well publicized data-privacy and security breaches impacting substantial numbers of individuals. A cyberattack on Anthem Inc., the largest U.S. health insurer, impacted almost 80 million people and subsequently led to the largest HIPAA settlement payment ($16 million) to date.[5] The UCLA Health System also suffered a cyberattack, impacting 4.5 million people. Medical Informatics Engineering (MEI), a medical data-sharing and transmission-services provider, suffered a breach that impacted approximately 3.9 million people and triggered a coordinated lawsuit in 2018 by 12 state attorneys general asserting claims under, inter alia, HIPAA.
Significant HIPAA breaches can result in substantial civil monetary penalties, ranging up to a maximum of $50,000 per violation (with a cap of $1.5 million for identical violations during a calendar year) for violations resulting from willful neglect that remains uncorrected after discovery.[6] Between 2015 through 2018, investigations of HIPAA-covered data breaches by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) netted almost $80 million in civil monetary penalties or (more commonly) settlement payments were paid by HIPAA-covered entities like health care providers and health plans and insurers, as well as their business associates.[7]
HIPAA breaches can significantly impact a health care provider’s reorganization. Indeed, the size of a HIPAA civil monetary penalty, a settlement payment in lieu of such a penalty or an adverse judgment in litigation could easily trigger a bankruptcy filing. The size of a health care provider’s HIPAA monetary liabilities, particularly when non-monetary compliance obligations are considered, could also preclude a reorganization in bankruptcy. Even if reorganization in bankruptcy were not precluded, moreover, non-monetary obligations related to a penalty or payment certainly could significantly impact the form of a reorganization.
HIPAA and Reorganization Strategy: 21st Century Oncology
Substantial HIPAA liabilities significantly impacted the debtors’ reorganization strategy in In re 21st Century Oncology Holdings Inc., et al.[8] Indeed, together with other health care laws, HIPAA took center stage in that case. 21st Century Oncology Inc. (21CO) suffered a cyberattack in 2015, resulting in the breach of the PHI of 2,213,597 patients. Following an investigation, the OCR concluded that 21CO had violated the HIPAA Privacy and Security Rules by failing to adequately protect and impermissibly disclose PHI. OCR’s claims (collectively, “HIPAA Claims”) against 21CO exceeded $2.3 million.
Five months before 21CO’s bankruptcy filing in 2017, a data breach class action alleging that 21CO had failed to adequately secure PHI under its control was filed against 21CO.[9] Following 21CO’s bankruptcy filing, data breach claimants filed six class claims aggregating $123.2 million, as well as 180 individual claims (collectively, the “Data Breach Claims”). The size of the Data Breach Claims dwarfed the aggregate amount of other claims filed against 21CO and its co-debtors (collectively, the “21CO debtors”). The 21CO debtors sought the dismissal of the class claims and valuation of the individual claims at $0 for plan-confirmation purposes. In response, the plaintiffs in the class action cases sought class certification pursuant to Bankruptcy Rule 7023 or, alternatively, relief from the automatic stay to permit the pre-petition data-breach litigation to proceed. In sum, the 21CO debtors were facing substantial litigation concerning the Data Breach Claims that could significantly delay or even preclude their reorganization.
Resolution of the HIPAA and Data Breach Claims was crucial to the 21CO debtors’ successful reorganization. Such a resolution was, in fact, a condition to both the consummation of the 21CO debtors’ chapter 11 plan[10] and the obligation of third parties to backstop a rights-offering for which the plan provided.[11] Resolution of the HIPAA claims was also necessary to avoid the uncertainty of litigating issues that still have not yet been tested in bankruptcy courts and to obtain significant concessions by OCR on the amount and payment of those claims that would ensure the 21CO debtors’ post-confirmation liquidity. Resolution of the Data Breach Claims was a necessary condition to a meaningful distribution on the claims of other unsecured creditors and required either a substantial reduction in the amount of those claims or for the claims to be channeling to insurance proceeds. Resolution of the Data Breach Claims would also allow the 21CO debtors to avoid the risks and expense inherent in defending against a class action.
The HIPAA Claims were resolved by means of a resolution agreement and a two-year Corrective Action Plan (CAP).[12] The resolution fixed the 21CO debtors’ monetary liability at $2.3 million, with that amount to be paid directly by the 21CO debtors’ insurer. OCR agreed to release its pre-petition HIPAA Claims upon receipt of the $2.3 million payment and to release its post-petition HIPAA Claims upon 21CO’s satisfaction of its obligations under the CAP. Full satisfaction of the 21CO debtors’ obligations under the CAP will result in OCR’s waiver of any civil monetary penalty arising out of the HIPAA Claims. The CAP imposes several obligations on 21CO to ensure ongoing HIPAA compliance, including, inter alia, the (1) review of and revisions to HIPAA policies and procedures, (2) development of new policies and procedures where necessary, (3) development and implementation of a program to internally monitor its compliance with the CAP, (4) retention of an external assessor (at 21CO’s expense) to monitor 21CO’s compliance with the CAP (with the authority to make unannounced visits to the 21CO facilities), and (5) annual reporting requirements (with reports attested to by officers of 21CO).
Pursuant to the Data Breach Claim settlement, the holders of Data Breach Claims may litigate the Data Breach Claims, but may look only to certain insurance proceeds for recovery.[13] They agreed not to oppose confirmation of the 21CO debtors’ plan if the bankruptcy court approved the Data Breach Claim settlement.[14]
The HIPAA and the Data Breach Claims settlements were approved by the bankruptcy court prior to the confirmation of their plan[15] on Jan. 9, 2018.[16] 21st Century Oncology provides a vivid example of the challenges that significant HIPAA data-privacy and security-breach liabilities can present to the reorganization of a health care debtor. In 21st Century Oncology, those liabilities were, in fact, a significant trigger to the bankruptcy filing. It was clear that the HIPAA and Data Breach Claims had to be resolved if there was to be a reorganization. Luckily for the 21CO debtors, they had available tools for such a resolution, and the case stands as a guide to other health care debtors in the same or similar situations for facing and resolving HIPAA liabilities in bankruptcy.
Medlab: The HIPAA Privacy Rule and Bankruptcy Sales
The § 363 sale of the business (or even just a business unit) of a health care debtor necessarily involves the sale or transfer of PHI to the purchaser. However, the HIPAA Privacy Rule[17] generally conditions the sale of PHI on the prior written authorization of each patient (or the patient’s personal representative) whose PHI is being sold.[18] Obviously, a blanket application of the provisions of the HIPAA Privacy Rule governing the sales of PHI to the sale of a health care debtor (or even a unit or division of the debtor) would effectively preclude such sales given the practical impossibility of obtaining authorizations from all of the patients of a either health care provider or one of its divisions or business units.
To facilitate the sales of covered entities, the HIPAA Privacy Rule excludes from the definition of “sale” the disclosure of PHI “[f]or the sale, transfer, merger, or consolidation of all or part of a covered entity and for related due diligence as described in ... the definition of health care operations” contained in the HIPAA Privacy Rule.[19] For purposes of the HIPAA Privacy Rule, “health care operations” includes “[t]he sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity, or with an entity that following such activity will become a covered entity and the due diligence related to such activity.”[20] The HIPAA Privacy Rule, therefore, facilitates “reorganizations” by sale and, therefore, the consolidation of health care debtors with other entities. However, this facilitation is subject to limitations.
Laboratory Partners Inc. and several subsidiaries (collectively, “MedLab”) filed chapter 11 petitions on Oct. 25, 2013.[21] At that time, MedLab had provided clinical laboratory and anatomic pathology services to, inter alia, a number of skilled nursing facilities (MedLab’s “Long-Term Care Division”). As health care providers, some or all of the MedLab debtors constitute “covered entities” for purposes of HIPAA and the HIPAA Privacy Rule.[22] MedLab proposed to “reorganize,” in part by selling its Long-Term Care Division.[23] To that end, MedLab filed a motion for authority to, inter alia, sell its Long-Term Care Division (the “MedLab Sale Motion”).[24] MedLab acknowledged that, although several potential buyers had expressed interest in purchasing the Long-Term Care Division, none of them agreed to be a stalking-horse bidder.[25] Thus, the sale motion proposed to sell the Long-Term Care Division at auction.
The proposed form of asset-purchase agreement attached to the sale motion provided for the sale of, inter alia, “all customer lists, ... mailing lists, [and] quality control records” related to the Long-Term Care Division.[26] It is beyond dispute that the customer lists and the mailing lists contained PHI. On Dec. 18, 2013, “HHS” filed a protective objection to the proposed auction sale.[27] HHS objected to what it characterized as “an authorized sale of their customer’s [PHI] that violates federal law.”[28] HHS specifically objected to the sale of customer lists, which, according to HHS, “almost certainly contain[ed] [PHI].”[29] HHS surmised (no doubt correctly) that MedLab had not obtained authorizations from all patients of the Long-Term Care Division before filing the sale motion.[30] HHS’s primary concern arose out of MedLab’s failure to identify a purchaser of the Long-Term Care Division.[31] HHS acknowledged that if the Long-Term Care Division were to be sold to a covered entity, HIPAA and the HIPAA Privacy Rule would likely permit the sale of the customer lists.[32] Absent being able to identify a purchaser, however, MedLab could not, as of Dec. 18, 2013, provide HHS the assurance it sought that the purchaser of the Long-Term Care Division would be a covered entity.
The hearing on the sale of the Long-Term Care Division was adjourned without a date, and ultimately HHS’s objection to the sale was resolved. Nevertheless, HHS’s objection to the sale of the Long-Term Care Division raises questions concerning the potential impact of the HIPAA Privacy Rule on bankruptcy sales. The provisions of the HIPAA Privacy Rule, including the provisions governing sales, are complex. They lend themselves to careful parsing by creative counsel. In that regard, HHS’s interpretation of the sale provisions of the HIPAA Privacy Rule seems to require an identified stalking-horse bidder that is or will become a covered entity as a result of the purchase of all or a portion of a debtor’s “covered entity.” Such an interpretation effectively precludes straight auction sales, such as that contemplated in the MedLab sale motion of all or a portion of a “covered entity” in bankruptcy where the identity of the purchaser cannot be known until a successful bid has been made.[33]
The crucial goals of HIPAA and the HIPAA Privacy Rule, however, can be achieved in straight auction sales without resorting to a hyperliteral reading of the definition of “sale” in the HIPAA Privacy Rule. Health care debtors should simply include in the bidding procedures for the sale a requirement that any bidder either be a covered entity or become one as a result of the sale. The bidding procedures should also obligate any bidder receiving PHI in connection with pre-auction due diligence to comply with all relevant obligations undertaken by a business associate under a business associate agreement, and should, at the very least, expressly (1) require the bidder to protect the privacy and security of any PHI as required by HIPAA and the HIPAA Privacy and Security Rules, (2) prohibit any use or disclosure of PHI obtained from the debtor in connection with pre-sale due diligence for any purpose other than conducting due diligence, (3) prohibit the bidder from disclosing PHI to a subcontractor retained to assist in due diligence until that subcontractor has agreed in writing to comply with the obligations of a business associate under a business associate agreement with which the bidder itself has agreed to comply in connection with the PHI disclosed, and (4) obligate bidders who do not become successful bidders to return or destroy the PHI as required by HIPAA and the HIPAA Privacy and Security Rules. Objections should be lodged toward bidding procedures that do not contain such requirements.
In addition to including the foregoing provisions in the bidding procedures, the debtor (or a bankruptcy trustee if one has been appointed) should require bidders to execute confidentiality or nondisclosure agreements imposing the applicable obligations of a business associate under a business associate on the bidder, including, at the very least, those set forth above, as a condition to receiving PHI in connection with due diligence. In all circumstances, health care debtors should limit the disclosure of PHI to a bidder to the minimum amount necessary to conduct due diligence. If the foregoing recommendations are implemented, bankruptcy can remain a useful tool for transferring health care business to more viable owners and still ensuring that the crucial policies underlying HIPAA and the HIPAA Privacy Rule are effectuated. In sum, HIPAA and the HIPAA Privacy Rule need not stand in the way of the sale, merger or consummation of the debtor.
Conclusion
Particularly if the debtor has suffered a HIPAA data-privacy and security breach, the privacy and security requirements of HIPAA can pose challenges to a health care reorganization. Cyberattacks on health care entities are not likely to abate in the near future, and health care providers are still not fully prepared for these attacks. For that reason, HIPAA will likely increasingly impact health care reorganizations. However, 21st Century Oncology and MedLab demonstrate some of the tools that are available to meet HIPAA’s challenges to a health care debtor’s reorganization.
[1] 28 U.S.C. § 959(b).
[2] See www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm (cardiac pacemakers manufactured by St. Jude Medical, which could be monitored and controlled over the internet, were found by the FDA to be vulnerable to cybersecurity intrusions or exploits).
[3] See, e.g., www.hhs.gov/hipaa/for-professionals/ compliance-enforcement/examples/semc/index.html (a well-meaning but misguided attempt by resident physicians to improve health care at a hospital via an internet file-sharing site, exposing PHI to unauthorized viewers).
[4] See, e.g., Snell, Elizabeth, “Healthcare Data Breach Leads to Identity Theft Guilty Plea,” Health IT Security: Patient Privacy Security News (March 30, 2018), at healthitsecurity.com/news/healthcare-data-breach-leads-to-identity-theft-guilty-plea (PHI stolen as part of an identity theft racket).
[5] Anthem also agreed to pay $115 million to resolve civil litigation arising from the breach. See Pierson, Brendan, “Anthem to Pay Record $115 Million to Settle US Lawsuits Over Data Breach,” Reuters (June 23, 2017), at www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record….
[6] See 45 CFR § 160.404(b) (setting out the tiered HIPAA civil monetary penalty schedule).
[7] Compliancy Group, “HIPAA Fines Listed by Year,” (March 2018), at compliancy-group.com/hipaa-fines-directory-year/ (retrieved on June 1, 2018) ($52,691,000 in civil monetary penalties or settlements as of March 2018). The $16 million Anthem settlement payment increased that amount to just under $79 million. See also 45 CFR §§ 160.103, 164.104(b) (defining “covered entities” and “business associates”).
[8] (Bankr. S.D.N.Y. Case No. 17-22770 (RDD)).
[9] HIPAA does not provide a private cause of action. However, HIPAA violations can provide the factual basis of a claim under data privacy and security laws that do provide private causes of action.
[10] In re 21st Century Oncology Holdings, Inc., et al. (Bankr. S.D.N.Y. Case No. 17-22770 (RDD)) ECF Docket No. 915-1, §9.1(q)).
[11] Id., ECF Docket No. 434, §8.1(t).
[12] Id., ECF Docket No. 825-1, pp. 5-19. See https://www. hhs.gov/sites/default/files/21co-ra_cap.pdf for the Resolution Agreement and CAP.
[13] In re 21st Century Oncology Holdings Inc., et al. (Bankr. S.D.N.Y. Case No. 17-22770 (RDD)), ECF Docket N. 753.
[14] Id.
[15] Id., ECF Docket Nos. 823 and 824.
[16] Id., ECF Docket No. 915.
[17] 45 C.F.R. §§ 164.500, et seq.
[18] 45 CFR § 164.508(a)(4).
[19] 45 CFR § 164.502(a)(5)(ii)(A)(2)(iv) (emphasis added).
[20] 45 CFR § 164.501 (paragraph (6)(iv) of the definition of “health care operations”).
[21] In re Laboratory Partners Inc., et al., U.S.B.C. D. Del. Case No. 13-12769-PJW.
[22] See the definition of “covered entity” contained in 45 CFR § 160.403.
[23] Id., ECF Docket No. 46, ¶ 6.
[24] Id., ECF Docket No. 46.
[25] Id., ¶ 6.
[26] In re Laboratory Partners Inc., et al., USBC D. Del. Case No. 13-12769-PJW ECF No. 46, Exh. B, ¶ 1.1(f).
[27] Id., ECF Docket No. 216.
[28] Id., p. 2.
[29] Id., p. 3.
[30] Id., p. 4.
[31] Id.
[32] Id.
[33] See 45 CFR § 164.502(a)(5)(ii)(A)(2)(iv) and 45 CFR § 164.501 (paragraph (6)(iv) of the definition of “health care operations”) cited above, which clearly contemplate the sale or merger of a specifically identified covered entity with another specifically identified covered entity in a transaction that, it is contemplated, will close.